[BreachExchange] Phishing Attack Aimed at Stealing Payroll Deposits

[Destry Winant]

https://www.databreachtoday.com/phishing-attack-aimed-at-stealing-payroll-deposits-a-12804

A Texas-based healthcare system says hackers unsuccessfully tried to
divert employee payroll direct deposits through a phishing attack that
also potentially exposed patient data. The incident illustrates how
business processes can help avert theft.

Decatur, Texas-based Wise Health System, which employs 1,900 and
includes a medical center, several clinics and specialty care
facilities, says an email phishing campaign was launched against its
staff on March 14.

"Unfortunately, a few of Wise Health System's employees provided their
usernames and passwords in response to this phishing email," the
organization says in a statement. "Once these usernames and passwords
were obtained, the intruders used the information to access the
employee kiosk in an attempt to divert payroll direct deposits."

Wise says that while it does not believe that it was the intent of the
phishing attack to obtain patient information, access to the email
boxes may have compromised patient information, such as medical record
number, diagnostic and treatment information, and potentially
insurance information.

"Again, we believe the purpose of this campaign was to divert payroll
direct deposits rather than to obtain patient information," the
statement notes. Wise Health System has not received any reports of
patient identity theft since the date of the phishing incident, the
statement adds.

A listing of the Wise Health breach on the Department of Health and
Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool
website indicates the "hacking/IT incident" was reported on July 13 as
impacting nearly 36,000 individuals.

Wise Health did not immediately respond to an Information Security
Media Group request for comment. Its website appears to show a link to
an "employee kiosk" that is not currently functioning.

Scheme Foiled

According to a report by the Wise County Messenger, a local newspaper,
Kimberly Browder, Wise vice president of compliance and privacy
officer, says hackers tried to change approximately 100 payroll direct
deposits. But the hospital's payroll system requires a paper check be
printed for two payrolls after any changes are made to an employee's
direct deposit.

When payroll was completed on April 5, an unusual number of checks
were required to be printed, which raised a red flag, Browder told the
Messenger. So that paper check safeguard appears to have prevented the
theft of funds.

"We forced a password change immediately, systemwide," Browder told
the Messenger, adding that all employees were paid and no worker
missed a paycheck.

Wise Health is reportedly offering affected individuals 12 months of
prepaid credit monitoring and identity theft protection.

Safeguards Play Important Role

Tom Walsh, president of consulting firm tw-Security, says that the
process for making any changes to employee-related data should always
require an authorization. That includes changes involving an
employee's bank and account numbers for payroll direct deposits,
beneficiaries on life insurance policies and health insurance
benefits.

"The employee portal makes it easier and more convenient, but the
assurance that the HR department is actually communicating with the
employee may have been lost for the sake of convenience," he says.

"Treat an employee portal or kiosk like an ATM machine at the bank,"
he advises. "Require multifactor authentication as the authorization
for handling sensitive transactions."

Kate Borten, president of privacy and security consulting firm The
Marblehead Group, notes that to help prevent security incidents
involving employee data systems from also potentially impacting
patient data, it's critical that healthcare entities take a holistic
security approach.

"Healthcare and any other types of organizations should aim to develop
a generic information security program, starting with identifying all
confidential information assets held by the organization," she notes.
"Then apply security safeguards for all such information in any form.
Avoid siloing based on industry regulations, since most security
controls are data-neutral and common to many or most regulations and
standards."

Email Risks

To reduce the odds that phishing and other email related incidents
succeed in exposing sensitive data, Walsh advises against sharing
confidential information in email.

"Use other secure methods for sharing information," he says. "For
example, instead of sending a spreadsheet filled with patient
information as an attachment to email, store the spreadsheet on a
common network drive ... plus password protect the spreadsheet."

While this creates additional steps and could be perceived as
inconvenient, it helps prevent data from being exposed in the event
that a user's email gets hacked or compromised, Walsh says.

Hackers know that many people quickly respond to any type of a request
that purportedly comes from executive management, Walsh adds. "This is
one of the reasons why phishing emails have been so successful.
Employees will bypass the normal protocols and procedures followed for
making changes - even violating their own internal policies - in order
to quickly respond to a request by upper management."

Regardless of who is making a request, employees need to understand
that they must "stick to and follow organizational policies," he adds.
"These processes were established to protect both the company as well
as the employee - especially if the request involves money or
passwords."

Other Breaches

In another employee portal incident last year, a coding error
inadvertently allowed some users of a portal for the Employee
Retirement System of Texas to view the information of others,
potentially exposing information on nearly 1.25 million of its
members.

That incident was among the five largest health data breaches reported
to HHS in 2018.