[BreachExchange] 109K Patient Records Impacted in Overlake Medical Phishing Attack

[Destry Winant]

https://healthitsecurity.com/news/109k-patient-records-impacted-in-overlake-medical-phishing-attack

February 20, 2020 - Overlake Medical Center and Clinics in Washington
is notifying about 109,000 patients that some of their health
information was potentially compromised during a phishing attack.

On December 9, officials said they first detected the phishing attack
and quickly reset the password to stop the unauthorized access. An
investigation revealed the attack began three days earlier on just one
employee email account.

However, several other employee email accounts were also compromised
for several hours on December 9.

The compromised accounts contained a range of patient information
including names, contact information, dates of birth, diagnoses,
treatment information, health insurance identification numbers, and
health insurance provider names. Social Security numbers and financial
data were not impacted.

Overlake Medical has since bolstered its email security to block
phishing emails, along with implementing multi-factor authentication
and new email retention policies. Employees have also received
additional security awareness training.

WISE HEALTH ADDS 30K PATIENTS TO BREACH VICTIM TALLY

Texas-based Wise Health has added to its initial tally of patients
impacted by a phishing attack first reported in July 2019. At the
time, an estimated 35,899 patients were notified of the potential
breach. After a data audit, the final breach victim tally has reached
66,984 patients.

The audit was launched in July 2019 after the initial breach report.
Several employees responded to phishing emails in March 2019,
disclosing their account credentials to the cybercriminals. Those
credentials were used to access Wise Health’s employee kiosk to
reroute direct deposit payroll.

In total, the hackers attempted to reroute about 100 of those
deposits. Under Wise Health’s security policy, a required two checks
were issued to employees after a change to direct deposit information.
As a result, a large number of checks were printed in April that
raised a red flag. Officials said the measure alerted them to the
potential scam and prevented the rerouting of those payments.

Wise Health issued a system-wide password reset and hired an outside
cybersecurity firm to assist with the investigation. The incident was
also reported to the FBI. It’s believed that hackers were only seeking
payroll data and that it's unlikely patient information was accessed.

But the email accounts did contain a trove of patient data, including
protected health information. Those patients are receiving
notification out of an abundance of caution and are being offered a
year of free credit monitoring and identity theft services.

CENTRAL KANSAS ORTHOPEDIC RANSOMWARE ATTACK

READ MORE: Hackensack Meridian Faces Breach Lawsuit After Ransomware Attack

A ransomware attack on Central Kansas Orthopedic Group potentially
gave hackers access to medical records. CKOG did not pay the ransom
and were able to restore its systems from backups.

The infection began on November 11, and CKOG immediately contacted
outside counsel and a third-party investigator. The investigation did
not find evidence that any data was exfiltrated, but it’s possible the
hackers had access to patient data.

The potentially impacted data includes contact information, dates of
birth, driver’s license numbers or state IDs, health information
related to treatment at CKOG, health insurance numbers, Social
Security numbers, and email addresses.

CKOG will be leaning on its third-party investigators to determine
ways to improve its overall security and will implement new tools
where necessary. About 17,214 patients are being notified of the
potential compromise.

NCH REPORTS BREACH FROM JUNE 2019 PHISHING ATTACK

NCH Health has closed the investigation into the scope of a phishing
attack on its payroll system that it discovered in June 2019.  The
Florida health system first reported it was investigating the security
incident in August 2019 with help from a third-party forensics firm.

Officials said they determined on July 2 that several employees fell
victim to phishing emails that provided hackers with access to their
email accounts. At the time of the initial reporting, NCH said they
were still investigating the scope of the incident.

According to the notification, hackers got into the NCH payroll system
through the phishing scheme. It appears the hackers were solely
focused on rerouting direct deposit payroll funds. The medical records
systems were not impacted by the attack

However, the attack also provided the cybercriminals with employee
login credentials, and the investigation could not rule out whether
emails were viewed during the event.

The third-party forensics firm “undertook a diligent and
time-consuming manual and programmatic review of the entire contents
of the relevant email accounts.”

NCH confirmed the patients whose information was contained in those
accounts, and officials said they’ve been working to obtain all
addresses of those individuals. The data varied by patient, but could
include names, dates of birth, driver’s licenses, treatments, medical
histories, medications, beneficiaries, provider names, patient
identification numbers, health insurance data, and or user name and
passwords.

For less than 5 percent of patients, Social Security numbers were
compromised. All patients will receive two years of free credit
monitoring and identity theft restoration services.

PSL SERVICES IN MAINE REPORTS EMAIL HACK

Peregrine (PSL Services) in Maine is notifying an undisclosed number
of patients that their data was potentially compromised after a hack
on several employee email accounts.

On December 17, officials said they discovered suspicious activity in
one employee email account. An investigation was launched with
assistance from a third-party forensics specialist. They determined a
number of employee email accounts were hacked for three days between
December 16 and December 19.

The investigation is ongoing, as officials are reviewing the contents
of the accounts to determine the scope of the incident. So far,
they’ve determined the accounts contain patient names, addresses,
Social Security numbers, dates of birth, driver’s licenses, medical
data, and Maine Care numbers.

PSL is currently reviewing its security measures and will implement
further safeguards. Officials said they are still working to identify
the patients whose information was potentially compromised and will
provide them with free identity protection services.

The Department of Health and Human Services and the Maine Attorney
General have both been notified.