[BreachExchange] Roper St. Francis, Valley Professionals Phishing Attacks Breach Patient Data

[Destry Winant]

https://healthitsecurity.com/news/roper-st.-francis-valley-professionals-phishing-attacks-breach-patient-data

Charleston, South Carolina-based Roper St. Francis Healthcare and
Valley Professionals Community Health Center (VPCHC) in Indiana
recently began notifying patients that their data was potentially
breached after employees fell victim to targeted phishing campaigns.

Thirteen Roper St. Francis employees fell victim to a large-scale
phishing campaign, which was discovered on November 30. Access was
blocked upon discovery. Officials said the investigation determined
the hacker had access between November 15 and December 15.

Roper St. Francis hired a third-party forensics team to help
investigate and determined the email accounts contained a wide range
of data that varied by patient. The compromised information could
include names, medical record numbers, health insurance details, and
medical services.

For a limited number of patients, Social Security numbers and
financial data was breached. All patients will receive a year of free
credit monitoring. The breach is not yet listed on the Department of
Health and Human Services’ Office for Civil Rights breach reporting
tool, so it’s currently unknown how many patients were impacted. But
Roper St. Francis includes more than three hospitals.

VALLEY PROFESSIONALS COMMUNITY HEALTH CENTER

About 12,000 patients were impacted by the phishing attack on VPCHC,
an Indiana health network that includes seven health centers in
Indiana.

A VPCHC employee fell victim to a phishing attempt, in which the
hacker sent an email impersonating a health organization that had
worked with the health network in the past. The email appeared to be
genuine and looked as if it came from a known sender.

As a result, officials discovered suspicious activity from the
compromised account on November 27. The account was quickly secured,
and officials launched an investigation with help from a third-party
forensics team to determine the extent of the attack.

They determined the hacker had access to the account for a month
between October 26 and when the breach was discovered. The compromised
emails included names, addresses, Social Security numbers, medical
record numbers, diagnoses, patient identification numbers, providers,
payment information, treatments, procedures, and dates of birth.

For a small group of patients, bank account numbers, health insurance
details, and or routing numbers were breached. Officials could not
determine what, if any, emails were accessed by the hacker. But 12,000
patients have been notified.

VPCHC has since bolstered its technical safeguards and provided
employees with further phishing training and education.

Phishing attacks have continued to pummel the healthcare sector in
recent years, as hackers have increased the sophistication of attacks.
Often, cyberattacks can go undetected for months, such as those seen
in recent notifications from Critical Care, Pulmonary & Sleep
Associates, Sacred Heart Rehabilitation Center, Sacred Heart
Rehabilitation Center, BenefitMall, and a host of others.

Reducing decisions users have to make around email can help reduce
risk, while stronger networking monitoring can more readily detect
these attacks.