BJC HealthCare Phishing Attack Impacts Patients at 19 Hospitals

BJC Healthcare reported the unauthorized access of the email accounts of three employees after responding to the phishing emails they received.

On March 6, 2020, BJC Healthcare detected suspicious activity in the email accounts, which prompted the immediate security of the accounts. A prominent computer forensics company was hired to conduct an investigation which revealed that the attackers had only accessed the three accounts for a limited period of time on March 6. The investigators cannot tell if the attacker viewed or obtained patient data.

An evaluation of the accounts revealed they had the information of patients at 19 BJC Healthcare and affiliated hospitals. The email messages and attachments contained varying protected health information (PHI) of patients, which may have included the following data elements:

Patients’ names, dates of birth, patient account numbers, medical record numbers, and limited treatment and/or clinical details, which contained provider names, visit dates, prescribed medicines, diagnoses, and testing data. The health insurance details, Social Security numbers, and driver’s license numbers of a number of patients were also potentially compromised.

BJC Healthcare will notify by mail all patients affected by the breach as soon as the email account analysis is completed. Patients whose driver’s license or Social Security number were potentially compromised will be provided credit monitoring and identity theft protection services for free.

BJC HealthCare stated more security measures will be enforced to avoid occurrences such as this in the future and employees will get training again to help them identify and steer clear of suspicious emails.

The BJC HealthCare and affiliated hospitals affected by the breach are:

  • Alton Memorial Hospital
  • Barnes-Jewish St. Peters Hospital
  • Barnes-Jewish Hospital
  • Barnes-Jewish West County Hospital
  • BJC Behavioral Health
  • BJC Home Care
  • BJC Medical Group
  • BJC Corporate Health Services
  • Boone Hospital Center
  • Christian Hospital
  • Louis Children’s Hospital
  • Memorial Hospital East
  • Memorial Hospital Belleville
  • Missouri Baptist Medical Center
  • Missouri Baptist Physician Services, LLC
  • Missouri Baptist Sullivan Hospital
  • Progress West Hospital
  • Parkland Health Center Boone Terre
  • Parkland Health Center Farmington

Phishing Attacks at Hartford Healthcare and Saint Francis Ministries Reported

The Saint Francis Ministries health system reported that an unauthorized individual accessed the email account of one of its employees resulting in a potential compromise of patient information.

The health system discovered the breach on December 19, 2019 upon noticing the suspicious activity in the email account of an employee. A third-party computer forensics company investigated the breach and confirmed on February 12, 2020 that there was unauthorized access to the account between December 13, 2020 and December 20, 2019. It cannot be determined if the attacker had accessed emails including patient information or downloaded any email messages, however, there were no reports received that suggest the misuse of any patient information.

A review of the affected accounts was done on March 24, 2020 which confirmed the potential compromise of the following information: name, date of birth, driver’s license number, Social Security number, state ID number, bank/financial account number, credit or debit card number, username and password, diagnosis, treatment information, prescription data, provider name, Medicare/Medicaid number, medical record number, health insurance data, and treatment cost details.

On April 12, Saint Francis Ministries started sending notification letters to affected people. The health system also offered the affected patients complimentary credit monitoring and identity theft protection services and took steps to improve email security so that similar breaches will be avoided in the future.

Phishing Attack on Hartford Healthcare

Healthcare network Hartford Healthcare established in Connecticut and Rhode Island experienced a phishing attack and reported it on April 13, 2020. The healthcare network discovered the attack on February 13, 2020 upon noticing unusual activity in the email accounts of two employees.

With the help of a third-party computer forensics company, Hartford Healthcare confirmed that the hackers accessed the email accounts from February 13 to February 14, 2020.

There was protected health information (PHI) contained in at least one of the email accounts. The PHI of a number of patients included names, health insurance details, medical record numbers, and other health-related information. The email accounts also contained the Social Security numbers of 23 patients.

Hartford Healthcare stated that the attack affected 2,651 patients and breach notifications are being sent now. There were 23 individuals who received offers of two-year complimentary credit monitoring and identity theft protection services because of the potential compromise of their Social Security numbers.

Phishing Attacks on Healthcare Resource Group and Confido Compromised the PHI of Patients

Confido, a pharmacy benefits consulting firm started sending notification letters to 3,600 of its clients’ employees, members, and their dependents regarding the potential access of some of their personal information by an unauthorized individual who got access to the email account of an employee.

Confido detected the email account breach on December 12, 2020 and launched an investigation to find out the enormity and scope of the breach. A third-party security firm assisting Confido established on January 17, 2020 that an unauthorized individual accessed the email account for two weeks from November 29, 2019 to December 12, 2019. The investigators could not determine if the hacker downloaded information from the email account, but the probability cannot be ruled out.

An extensive review of the email account revealed it contained information such as names, birth dates, health insurance details, Social Security numbers, prescription data, treatment data, and clinical details for instance diagnoses and healthcare provider names.

People affected by the breach received breach notification letters on February 10, 2020. No cost credit monitoring services were made available to people who had their Social Security numbers exposed.

Because of the breach, Confido provided further training on security awareness to its workers and implemented more procedures to reinforce email security.

Phishing Attack on Healthcare Resource Group Impacts Barlow Respiratory Hospital Patients

Healthcare Resource Group is the billing services provider of Barlow Respiratory Hospital in Los Angeles, CA. An unauthorized person accessed the email account of an employee of the Healthcare Resource Group. The investigation into the breach revealed that the hacker had access to the email account between November 4, 2019 and November 30, 2019.

Based on the email account analysis, the emails and attachments included a limited amount of protected health information (PHI) of current and past patients of Barlow Respiratory Hospital.

A third-party company reviewed the account to ascertain the types of information compromised. On February 27, 2020, the completed review revealed that patient names were exposed in addition to one or more of the following data elements: Social Security number, date of birth, driver’s license number, medical record number, patient account number, health insurance data, treatment details, and medical billing or claims information.

Healthcare Resource Group mailed notifications to affected patients of Barlow Respiratory Hospital on April 7, 2020. The Group also offered one year’s membership to credit monitoring and identity theft restoration services to affected patients.

Email Security Breaches at The Otis R. Bowen Center for Human Services and University of Minnesota Physicians Impacts Almost 36,500 Patients

The Otis R. Bowen Center for Human Services based in Indiana provides mental health and addiction recovery healthcare services. It reported an incident that unauthorized persons got access to two employees’ email accounts.

The date when the email account breaches took place is uncertain. There’s also no information regarding how long the unauthorized persons accessed the email accounts. According to the substitute breach notification posted on its website, an independent digital forensic investigation team informed The Otis R. Bowen Center on January 28, 2020 that PHI was potentially accessed because of the attack. The service provider just completed the accounts review to identify the patients affected and has sent the notifications by mail. The types of data potentially compromised was not mentioned.

The Otis R. Bowen Center stated that the investigation did not find any proof that indicates the misuse of PHI resulting from the breach. Nevertheless, as a safety precaution, affected people were offered free membership to credit monitoring and identity theft protection services via Kroll.

Because of the breach, The Otis R. Bowen Center took steps to enhance its email and network security. The provider is also working directly with prominent cybersecurity professionals to enhance its digital environment’s security.

Based on the Department of Health and Human Services’ breach portal, there were 35,804 patients whose protected health information was compromised in the email accounts.

University of Minnesota Physicians Phishing Attack

University of Minnesota Physicians discovered the compromise of two employee email accounts after employees responded to phishing emails. In the two cases, the phishing attacks were noticed soon after the compromise of the email accounts. Action to secure the accounts was undertaken on January 31, 2020 and February 4, 2020. The unauthorized person was able to access the first account in under two days and the second account in just a couple of hours.

Third-party computer forensics experts conducted a thorough investigation, however they could not determine whether the attackers viewed or copied any email in the accounts. A review of the email accounts showed that they contained patient names, phone numbers, addresses, birth dates, demographic data (gender, race, ethnicity), Social Security numbers, place of treatment, names of providers, insurance ID numbers, partial medical history details, and case numbers.

UMPhysicians began mailing notification letters to impacted persons on March 30, 2020 and offered free one-year membership to credit monitoring and identity theft protection services via Kroll.

UMPhysicians stated that there were several email security controls, such as multi-factor authentication, in place prior to the attack. Employees were also required to undergo regular security awareness training and phishing simulation exercises.

UMPhysicians gave the employees refresher training and is planning to implement further measures to enhance email security.

The OCR breach portal stated that the breach affected 683 patients.

Healthcare Data Breaches at Torrance Memorial Medical Center, Tandem Diabetes Care and Foundation Medicine

Breach of Patients’ Radiology Images at Torrance Memorial Medical Center

Torrance Memorial Medical Center (TMMC) in California found out that the security protections of a server being used by a third-party radiology vendor were removed thus allowing access to some patient data by unauthorized persons.

The radiology vendor sent TMMC a notification regarding the potential data breach on January 6, 2020. According to the investigators, the protections were removed by accident on June 20, 2019 and unauthorized persons could access the server until December 13, 2020.

It is believed that there is a low risk to the patients because radiology photos were just saved on the server for a brief time period. The photos on the server are deleted on auto-pilot every 24 hours. Nonetheless, the total number of medical images temporarily stored on the server during a 6-month period covers 3,448 patients. The radiology images contained information such as names, birth dates, gender, medical record number, accession number, and referring doctor’s names.

Although it is believed that there is a low risk to patients, TMMC has provided all impacted patients with free identity theft protection services.

Phishing Attack Impacts Tandem Diabetes Care Patients

Cybercriminals targeted Tandem Diabetes Care, Inc. located in San Diego, CA and accessed the email accounts of some of its employees from January 17, 2020 to January 20, 2020. Tandem Diabetes Care discovered the attack on January 17, 2020 and investigated the incident promptly with the assistance of a cybersecurity firm.

The compromised employee accounts included information such as the patients’ names, contact details, clinical data associated with diabetes care, and data concerning customers’ use of Tandem’s services and products. The Social Security numbers of some patients may likewise have been breached.

Tandem is fortifying user authorization and authentication, improving its email security controls, and has revised its guidelines and procedures to restrict the types of information that could be sent through email. On March 17, 2020, impacted patients were informed regarding the breach.

The breach affected 140,781 patients as indicated on the HHS’ Office for Civil Rights breach portal.

Phishing Attack at Foundation Medicine

Foundation Medicine based in Cambridge, MA, a provider of genomic profiling services, discovered the compromise of an employee’s email account due to the response of the employee to a phishing email.

Foundation Medicine knew about the incident on January 14, 2020. According to the investigation, which was led by a third-party forensics company, the attacker was able to access the email account from December 17, 2019 to January 14, 2020. In that time frame, an unauthorized person possibly accessed patient data contained in the email account such as patient names, birth dates, ages, test names, FMI ID numbers and ordering doctors’ names.

Foundation Medicine already informed all impacted patients and provided further security awareness training to its employees.

Data Breaches at Munson Healthcare, Jefferson Dental Care Healthcare Management and Tennessee Orthopaedic Alliance

There are a number of healthcare providers that lately reported phishing attacks namely Munson Healthcare, Jefferson Dental Care Healthcare Management and Tennessee Orthopaedic Alliance.

Phishing Attack on Munson Healthcare

Munson Healthcare located in Traverse City, MI found out that unauthorized persons have obtained access to several employees’ email accounts. Third-party computer forensic professionals assisted Munson Healthcare to confirm the suspicious access of the email accounts from July 31, 2019 to October 22, 2019.

Right after checking the impacted email accounts on January 16, 2020, it was affirmed that the email accounts comprised the names of patients, birth dates, insurance details, and treatment and diagnostic details. The accounts additionally included some driver’s license numbers, financial account numbers, and Social Security numbers.

Free credit monitoring services were given to persons whose Social Security numbers were probably exposed. Munson Healthcare is going to employ more technical safety controls to stop comparable breaches later on.

PHI of 45,748 Jefferson Dental Care Healthcare Management Patients Compromised

Jefferson Dental Care Healthcare Management based in Dallas, TX found out that an unauthorized person obtained access to the email account of one employee from July 21, 2019 to Aug. 26, 2019.

The dental care provider noticed odd activity in the email account approximately on October 19, 2019 and protected the account without delay. On December 10, 2019, JDH Healthcare Management confirmed that the PHI of 45,748 patients were in the email account. Though there’s no proof discovered to signify the attacker viewed patient data, it is likely that names, birth dates, addresses, healthcare treatment data, medical histories, medical insurance details, payment data, medical record numbers, and patient numbers might have been exposed. JDH Healthcare Management made available free credit monitoring and identity protection services to impacted patients.

JDH Healthcare Management is looking at its policies and procedures and put in place extra safety measures to strengthen email security.

Phishing Attack on Tennessee Orthopaedic Alliance

Tennessee Orthopaedic Alliance (TOA) learned that unauthorized people have accessed two personnel email accounts. TOA discovered the data breach on October 18, 2019 after noticing odd activity in the email account of one employee. The account was promptly made secure, and third-party computer forensics professionals were hired to check out the breach. The investigation uncovered another email account was compromised as well and unauthorized persons accessed the accounts from August 16, 2019 to October 14, 2019.

On January 3, 2019, TOA established that the breached email accounts included names, addresses, telephone numbers, birth dates, health insurance data, Social Security numbers, diagnostic details, treatment data, and treatment expenses.

Patients were advised concerning the breach on February 14, 2019. People whose Social Security numbers were probably compromised got free credit monitoring and identity theft protection services. Even though the attackers might have viewed the PHI in the email accounts, TOA didn’t see any proof that suggests the improper use of patient data.

It is mentioned in the HHS’ Office for Civil Rights breach site that the attack impacted 81,146 patients.

Healthcare Organizations Reported A Number of Email Security Breaches

HIPAA-covered entities and their business associates recently reported 5 more healthcare data breaches associated with 500 or more records.

Email Account Breach at Shields Health Solutions

Shields Health Solutions based in Stoughton, MA provides specialty pharmacy services to covered entities and hospitals. An unauthorized person accessed an employee’s email account and possibly viewed/copied the protected health information (PHI) it contained.

Shields Health Solutions detected suspicious activity in the employee’s email account on October 24, 2019. A cybersecurity company investigated the incident and confirmed that an unauthorized person accessed the account from October 22 to October 24, 2019. The breach was restricted to one email account.

The email account had messages and file attachments that contained patient names, birth dates, medical record numbers, names of provider, clinical data, prescription details, insurance provider names, and limited claims data. There is no evidence that suggests the access or copying of patient data.

Shields Health Solutions improved its email security by using multi-factor authentication on all the email accounts of employees. and sent notification letters on December 16, 2019 to the affected persons. The HHS’ Office for Civil Rights (OCR) breach portal hasn’t published the breach yet so the exact number of people affected is not yet known.

Email Breach at Lafayette Regional Rehabilitation Hospital

Lafayette Regional Rehabilitation Hospital based in Lafayette, IN, has discovered in July 2019 that an unauthorized person accessed an employee’s email account and possibly viewed patients’ PHI.

Upon discovery of the breach on November 25, 2019, the incident was promptly investigated to know if unauthorized persons accessed any patient data. There is no evidence found that suggests the viewing or copying of patient data, however, the possibility cannot be eliminated. The compromised email account contained names, birth dates, and clinical and treatment data associated with medical services provided at the hospital. The Social Security number of some patients were also exposed.

The hospital sent notification letters to impacted patients on January 24, 2019. Those who had their Social Security numbers exposed received free credit monitoring services. Lafayette Regional Rehabilitation Hospital also improved email security and reinforced the training of employees on security awareness.

The breach report sent to the OCR stated that the breach affected around 1,360 patients.

Phishing Attack on MHMR of Tarrant County

A phishing attack on My Health My Resources (MHMR) of Tarrant County in Fort Worth, TX affected the email accounts of some employees. MHMR discovered the phishing attack on December 3, 2019.

According to the investigation, an unauthorized person accessed the accounts in the period covering October 12 to October 14, 2019. The information contained in the email accounts included names, Driver’s license numbers, Social Security numbers, and some data on the services acquired at MHMR.

It cannot be determined if patient data was viewed. There is also no information on the misuse of patient information. As a precaution, all 6,524 people whose data was contained in the compromised email accounts were notified by postal mail. Those who had their driver’s license number or Social Security number exposed were offered free credit monitoring and identity theft protection services.

Employees also received extra email security training. MHMR also enhanced its security controls and systems.

Phishing Attack at Reva

Reva, a provider of medical transportation service reported that an unauthorized person potentially accessed the PHI of around 1,000 patients because of a phishing attack.

When Reva detected suspicious activity in an employee’s email account on September 12, 2019, the provider secured the account and launched an investigation. It was discovered that other email accounts were compromised. Unauthorized access of the accounts could have happened from July 23, 2019 to September 13, 2019.

The information contained in the compromised accounts included patients’ names, dates of service, travel insurance data, limited clinical data, driver’s license numbers, passport numbers, and some Social Security numbers.

Reva offered free credit monitoring and identity theft protection services to patients who had their driver’s license numbers or Social Security numbers exposed. The affected people received notifications by mail on January 22, 2019.

Reva enhanced email security by implementing multi-factor authentication and giving employees further security awareness training.

Lawrenceville Internal Medicine Associates Email Error

Lawrenceville Internal Medicine Associates (LIMA) located in Lawrence Township, NJ, is notifying 8,031 people regarding an email error that resulted in the exposure of patients’ email addresses. The mailing error also affected some Endocrinology Associates of Princeton, LLC patients.

LIMA sent an email announcement to patients on October 29, 2019. After two days, LIMA was informed that other patients’ email addresses could have been seen in the email’s BCC field. The error did not result in the exposure of any other data.

In response to the mailing error, the IT department received additional training and LIMA further strengthened its email security policies and procedures and modified its email system for sending email messages to patients.

Phishing Attacks on VillageCareMAX, VillageCare Rehabilitative and Nursing Center and Phoenix Children’s Hospital

Village Senior Services Corporation also called VillageCareMAX (VCMAX) and Village Center for Care also called VillageCare Rehabilitative and Nursing Center (VRNC) encountered a business email compromise (BEC) attack. The threat actors behind BEC attacks impersonate an executive, either by utilizing the genuine email account of an executive that was compromised in a past attack or through spoofing the email address of the executive.

An unauthorized person pretended to be a member of the executive staff and asked for sensitive data of VCMAX members and VRNC patients. An employee was convinced that the request is legitimate and responded by giving the requested information. On or around December 30, 2019, VCMAX and VRNC received notification about the potential BEC attack.

It was confirmed by the investigators that the request was not legitimate and sensitive data of VCMAX members and VRNC patients were impermissibly disclosed. The data sent through email contained 2,645 VCMAX members Medicaid ID numbers and names and 674 VRNC patients’ first and last names, birth dates, insurance company names, and Insurance ID numbers.

There were no reported cases of personal information misuse, however, all affected persons were instructed to be cautious and monitor accounts, explanation of benefits statements and credit reports for indications of bogus transactions. VCMAX and VRNC are going over and improving their policies and procedures to avoid more similar attacks in the future.

Phishing Attack on Phoenix Children’s Hospital

A targeted phishing attack on Phoenix Children’s Hospital from September 5 to September 20, 2019 resulted in the compromise of the email accounts of seven hospital employees.

After becoming aware of the breach, a prominent computer forensic company was hired to investigate the magnitude of the breach. On November 15, 2019, the hospital found out that the compromised email accounts hold the protected health information (PHI) of 1,860 past and present patients, which the attackers might have viewed or downloaded.

The patient data contained in the accounts included their names and personal data. The Social Security numbers and some health data of some patients were also included.

Phoenix Children’s Hospital began sending notification letters to the affected patients via mail on January 14, 2020. The hospital also offered free credit monitoring and identity theft protection services to patients who had their Social Security number potentially compromised.

PIH Health Phishing Attack Impacted Nearly 200,000 Patients

A phishing attack on PIH Health, which is a 2-hospital not-for-profit healthcare network, established in Whittier, CA, resulted in the potential breach of the personal and protected health information (PHI) of about 200,000 patients in June 2019.

PIH Health found out on June 18, 2019 that unauthorized individuals accessed the email accounts of some employees because of a targeted phishing attack. The hospital immediately secured the email accounts and launched an investigation to find out the nature and scope of the breach.

Cybersecurity experts helped PIH Health investigate the incident and confirmed on October 2, 2019 that unauthorized access of the email accounts occurred from June 11, 2019 to June 18, 2019.

The cybersecurity experts also checked the email accounts to ascertain if they have any patient data in them. The review was concluded on November 12, 2019. Afterward, PIH Health tried to get updated contact details for present and past patients impacted by the breach. The hospital mailed breach notifications to those people on January 10, 2020.

The Department of Health and Human Services Office for Civil Rights already received the phishing attack report and had posted the incident on its breach portal. The summary report indicated that the breach potentially impacted around 199,548 patients.

Patients were instructed to keep track of their account statements for any suspected fraudulent activity and report it immediately. Patients also received offers of free credit monitoring and identity theft protection services via Kroll for one year.

PIH Health mentioned in its substitute breach notification that the company considers data privacy and protection a top priority and it extends its deepest apologies for the inconvenience or worry the incident has caused to its patients.

More People Impacted by Quest Health Systems Phishing Attack in 2018

Health Quest, which is already a part of Nuvance Health, found out that the impact of the phishing attack in July 2018 was more extensive than first believed.

A number of employees were fooled into sharing their email credentials by phishing emails, thus allowing unauthorized people to access their accounts. A top-rated cybersecurity agency assisted with the investigation to determine whether there was a compromise of patient information.

In May 2019, Quest Health learned that the emails and attachments in the compromised accounts contained 28,910 patients’ protected health information (PHI) and so the health system sent breach notification letters to the affected persons. The information contained in the compromised accounts included patient names, contact information, claims details, and some health data.

A secondary investigation of the breach uncovered on October 25, 2019 the compromise of one more email account of an employee containing PHI. Based on the substitute breach notification posted on the Quest Health website, the compromised data were different from one patient to another, however, the names and at least one of these data elements may have been included:

Dates of birth, driver’s license numbers, Social Security numbers, Medicare Health Insurance Claim Numbers (HICNs), provider name(s), dates of treatment, treatment and diagnosis details, health insurance plan member and group numbers, health insurance claims details, financial account details with PIN/security code, and payment card details.

There is no evidence found that unauthorized people accessed patient data. There is also no report received about the misuse of patient information. For safety precaution, on January 10, 2020, Health Quest sent another notification letter to patients.

Because of the breach, Quest Health now uses multi-factor authentication for email accounts and fortified security procedures and gave employees additional training on phishing and other cybersecurity problems.

There is no clear statement as to how many additional patients were affected by the breach. To date, the number of individuals impacted as listed on the HHS’ Office for Civil Rights breach portal remains 28,910 individuals.

Phishing Attack on SouthEast Eye Specialist Group and Ransomware Attack on btyDental

A recent phishing attack on SouthEast Eye Specialist (SEES) Group located in Franklin, TN resulted in the exposure of some protected health information (PHI) of 13,000 patients.

The SEES Group’s substitute breach notice did not clearly say when the phishing attack took place. However, on November 1, 2019, SEES Group confirmed that unknown persons accessed the patient information contained in the email accounts.

SEES Group discovered the breach because the IT department found suspicious activity in the email accounts of some employees. A third-party computer forensics firm investigated the incident to ascertain if the emails or file attachments contained patient data that the attackers potentially viewed or copied.

The investigators found no proof that indicates unauthorized persons accessed the patient information. However, the possibility of patient data compromise cannot be ruled out.

A meticulous analysis of all email messages in the compromised accounts showed they included data on patients such as names, treatment details, and Social Security numbers.

SEES Group is currently looking at its policies and procedures on information security and will improve email security to stop identical occurrences in the future.

Ransomware Attack on btyDental

A ransomware attack on btyDental, which is a network of dental practices located in Anchorage, AK, resulted in the potential compromise of some PHI of 2,008 patients.

The attackers deployed ransomware on some of its servers some time on November 17, 2019. The names and X-ray images of patients are stored in the servers. Other patient PHI is stored in systems that were not affected by the attack.

btyDental immediately implemented steps to recover the compromised servers. Third-party IT experts helped with the investigation and found no evidence that indicates the access or download of any patient images by the attackers.

The security policies and procedures of btyDental have been reviewed. Steps are being undertaken to avoid the occurrence of similar attacks in the future and will keep on monitoring system security and update measures as necessary.

HIPAA Breaches at Colorado Department of Human Services and Sinai Health System

The State of Colorado is informing 12,230 people that some of their protected health information (PHI) were impermissibly disclosed due to a mailing error.

The error involved the mailing of Notices to Reapply for food and cash assistance programs by the Colorado Department of Human Services.

The error was discovered on November 6, 2019. According to the investigation results, the dispatched 10,879 Notice to Reapply forms contained the data of the wrong persons. The data of 12, 230 people were included by mistake on the forms.

The data contained in the forms were names, names of employers, if the individual got a vehicle, and some other data associated with household assets. There were no disclosed addresses, birth dates, financial data, Social Security numbers, or any data needed for identity theft and fraud.

Affected persons were informed regarding the error on November 10, 2019 and were instructed to dispose of the wrong notices either by shredding or bringing them to a local county office of human services for proper disposal.

There is a low risk of improper use of PHI because of the nature of exposed data however, as a preventative measure, affected persons were offered free credit monitoring services for one year.

Phishing Attack on Sinai Health System

Sinai Health System based in Chicago found out that two of its employees’ email accounts were compromised after responding to phishing emails. There is no information given regarding when the attack happened or when it was identified, however, Sinai Health System reported that the investigation of a third-party computer forensics professionals confirmed on October 16, 2019 the compromise of PHI contained in the accounts. The attackers potentially accessed the PHI but there is no proof of data theft uncovered nor the report of PHI misuse received.

The types of data contained in the compromised email accounts differed from one patient to another. The following data may have been included: names, addresses, birth dates, Social Security numbers, medical data, and medical insurance details. Sinai Health System already took steps to strengthen email security, including an email filtering controls upgrade. Employees also received additional training on security awareness to help them recognize malicious emails. Email retention policies were also modified.

Sinai Health System submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights, which indicated the compromise of the PHI of 12,578 patients.

Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach

Montana-based Kalispell Regional Healthcare is being sued because of a phishing attack that allowed hackers to gain access to employee email accounts that contain the protected health information (PHI) of roughly 130,000 patients.

The patient information contained in the compromised email accounts included names, contact details, medical bill account numbers, health insurance details, and medical histories. The Social Security numbers of around 250 persons were likewise compromised.

The phishing attack happened in May 2019, however, it was not clear at first which patients, if any, were affected. Forensic investigators only determined in August that patient information was potentially compromised.

Kalispell Regional Healthcare notified all affected patients and offered 12 months of credit monitoring and identity theft protection services for free to patients who had their Social Security numbers potentially compromised.

One patient whose personal and health information was compromised took legal action in relation to the data breach. On November 25, Attorney John Heenan filed the lawsuit in Cascade County District Court in Great Falls, MT. Attorney Heenan is aiming for class-action status for the lawsuit.

The lawsuit claims that Kalispell Regional Healthcare

  • was unable to take the required steps to secure the privacy and confidentiality of the personal and health information of patients
  • did not follow the best practices and industry benchmarks for protecting patient data
  • did not notify patients regarding the breach promptly

Due to the alleged setbacks, the lawsuit claims that patients were placed at risk of identity theft and fraud.

It appears that Henderson’s personal and health information was not misused at the time the lawsuit was filed; nevertheless, he says that he is vulnerable to identity theft and fraud, which can happen at any time since hackers have his information.

Under HIPAA, patients cannot file a suit against healthcare providers for damages because there is no private cause of action. However, patients can take legal action in many states, as in Montana, for cases involving healthcare data breaches.

The Montana Uniform Health Care Information Act permits healthcare data breach victims to file suit against healthcare providers for violations of the Act. The lawsuit claims Kalispell Regional Healthcare has violated the Act.

After learning that patient information was potentially compromised, the health system sent notification letters to the affected patients and reported the breach through local media outlets.

Kalispell Regional Healthcare’s director of information technology, Melanie Swenson, mentioned that this case did not just involve average hackers. They used sophisticated tricks to disguise their tracks. She also explained that patient privacy is a top priority of the health system and there were email security solutions implemented prior to the attack to stop spam and phishing emails. The email security controls block approximately 50,000 inbound email threats daily. She also expressed that CynergisTec conducted an audit of its system in 2018 and declared it to be one of the top 9% of healthcare industry companies with cybersecurity compliance.

Since the phishing attack, the health system improved its email security and conducted more training for employees to increase their awareness on email threats including phishing attacks.

Solara Medical Supplies and Select Health Network Report Phishing Attacks Impact Patients PHI

Solara Medical Supplies, LLC in Chula Vista, CA, encountered a phishing attack that potentially compromised the protected health information (PHI) of many of its clients.

On June 28, 2019, Solara Medical identified suspicious actions in the email account of an employee and started an investigation to figure out the nature and magnitude of the breach. Solara Medical and third party computer forensics professionals investigated the breach and found it was quite extensive. Several Office 365 email accounts had been compromised for the period of April 2, 2019 to June 20, 2019.

All breached accounts had a programmatic and manual analysis to find out whose PHI was potentially exposed. The information contained in the email accounts differed from patient to patient. The patients’ first and last names were included in the compromised information along with one or more of the listed data elements: address, birth date, employee ID number, health insurance details, financial information, credit card/debit card number, password/PIN or account login details, passport details, Social Security number, driver’s license number, state ID number, Medicare/Medicaid ID, claims details, and billing records.

Solara Medical promptly safeguarded the compromised accounts upon discovery of the breach and added more security measures for better email security. People affected by the breach got notification letters and free one-year credit monitoring and identity theft protection services.

The breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights, but the OCR breach portal has not published the breach yet. Hence, the number of individuals impacted by the breach is still uncertain.

Select Health Network Phishing Attack

Select Health Network in Mishawaka, IN had a phishing attack that potentially compromised the PHI of a number of people.

After detecting suspicious activity in the email accounts of some employees, computer forensics professionals investigated the phishing attack. The investigation confirmed the compromise of several email accounts within the period of May 22, 2019 to June 13, 2019.

Select Health Network got the audit results of the compromised email accounts on October 1, 2019, which confirmed that the accounts contained a wide range of PHI.

The exposed data, which differed from person to person included the patients’ first and last names coupled with one or more of the listed information: birth date, address, member id number, medical insurance information, medical record number, medical report, name of treating/referring doctor, treatment information, treatment expenditure, and medical insurance policy number. Some patients’ Social Security number was similarly exposed.

Select Health Network has not received any report of patient information misuse caused by the breach. Those who had their Social Security numbers exposed received 12-months complimentary credit monitoring and identity theft protection services.

Select Health Network re-evaluated its policies and procedures in addition to implementing more safety procedures to fortify email security and avert similar phishing attacks.

Phishing Attacks on UNC Chapel Hill School of Medicine and Starling Physicians Compromised Patients Data

A phishing attack on the University of North Carolina Chapel Hill School of Medicine resulted in the potential access of the protected health information (PHI) of 3,716 patients by unauthorized persons.

A third-party forensics experts’ investigation confirmed the compromise of a few employee email accounts from May 17, 2018 to June 18, 2018. It is not clear when the detection of the security breach first occurred.

The email messages and attachments in the compromised accounts contained information that differed from one patient to another. But the patient information may have included names, demographic data, birth dates, Social Security numbers, medical insurance data financial account details and credit card numbers.

UNC Chapel Hill School of Medicine notified the affected people on November 12, 2019 and offered free credit monitoring and identity theft protection services to those whose Social Security numbers were potentially exposed.

The University also implemented multi-factor authentication and gave further training to the personnel about cybersecurity and phishing.

Phishing Attack on Starling Physicians

A phishing attack on Starling Physicians P.C. in Connecticut resulted in the potential compromise of the personal and health data of some patients. The attack on the physician group happened on February 8, 2019. A third-party forensics company conducted a breach investigation to assess the nature and extent of the attack. There were three email accounts of employees that were compromised.

On September 12, Starling Physicians stated that the information contained in the compromised email accounts included names, addresses, birth dates, passport numbers, Social Security numbers, medical insurance details, billing data, and medical data of some patients. There’s no mention when the group discovered the phishing attack.

The affected patients received notification letters on November 12, 2019. Patients who had potentially compromised their Social Security numbers were offered free credit monitoring and identity theft protection services.

The exact number of affected patients is currently uncertain. However, the group’s spokesperson said that the incident affected less than 0.01% of active patients.

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns

Each year, HIMSS carries out a survey to collect information about safety experiences and cybersecurity practices at healthcare companies. The survey provides insights into the situation of cybersecurity in healthcare and identifies attack tendencies and common security gaps.

Continue reading “HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns”

Phishing Campaign Leverages Google Translate to Steal Google and Facebook Credentials

A phishing campaign has been spotted that misuses Google Translate to make the phishing webpage seem to be an official login page for Google.

The phishing emails in the campaign are similar to several other campaigns that have been run in the past. The messages have the subject “Security Alert” with a message body almost identical to the messages sent by Google when a user’s Google account has been accessed from an unknown device or place.  The messages contain the Google logo and the text, “A user has just signed in to your Google Account from a new Windows appliance. We are transmitting you this electronic mail to confirm that it is you.”

Below the text is a clickable button with the text “Consult the activity.” Clicking the link will direct the user to a website that has a spoofed Google login box. If identifications are entered, they will be sent to the scammer.  

The electronic mails are sent from a Hotmail account – facebook_secur@hotmail.com – which is the first warning sign that the electronic mail notification is a fraud. On desktop browsers, the URL that users are directed to is obviously not official. A further indication that this is a fraud.

Nevertheless, the scam will not be so clear to any user on a mobile appliance. If the button in the electronic mail is clicked, the user will be directed to a phishing webpage that is served through Google Translate. The visible part of the URL in the address bar begins with translate.googleusercontent.com/translate, which makes the URL seem genuine. The use of Google Translate may be adequate to see the electronic mails bypass mobile safety defenses and the evidently official Google domain is likely to fool a lot of users into thinking the webpage is genuine.

If the user enters their Google identifications in the login box, an electronic mail is generated which transmits the identifications to the attacker. The user is then redirected to a bogus Facebook login page where the attackers also try to get the user’s Facebook login identifications.

The second attempt to phish for login identifications is easier to identify as fake as an old login box for Facebook is used. However, but at that point, the user’s Google account will already have been compromised.

The scam was recognized by Larry Cashdollar at Akamai.

Office 365 Phishing Campaign Uses SharePoint Partnership Request as Bait

A solitary Office 365 username/password blend can provide a hacker access to a huge quantity of confidential information. The information detailed in electronic mails can be of big value to rivals, identity thieves, and other fraudsters.

Office 365 identifications also give hackers access to cloud storage sources that can have extremely confidential business information and compromised accounts can be utilized to disperse malware and carry out additional phishing campaigns on a company’s workers and business associates.  

With the possible returns for a fruitful phishing attack so high, and a high proportion of companies using Office 365 (56% of all organizations internationally in 2018) it is no surprise that hackers are conducting targeted attacks on companies that use Office 365.

Office 365 Phishing Campaign Utilizes SharePoint Collaboration Request as Lire

A fresh report from Kaspersky Lab has emphasized an Office 365 phishing campaign that has confirmed to be highly effective. The campaign was first known in August 2018 and is still active. Kaspersky Lab approximates that as many as 10% of all companies using Office 365 have been targeted with the hack.

The campaign has been dubbed PhishPoint because it uses a SharePoint partnership request to lure workers into disclosing their Office 365 identifications. The electronic mails are reliable, the hyperlink seems to be genuine, the method used to get Office 365 login information is unlikely to stimulate doubt, and the campaign is able to sidestep Office 365 anti-phishing safeguards.

Electronic mails are transmitted to Office 365 users requesting partnership. The electronic mails have a genuine link to OneDrive for Business, which guides users to a document having an “Access Document” link at the bottom. As the hyperlink guides the user to a genuine document in OneDrive for Business, it is not recognized as a phishing electronic mail by Office 365.

If the user clicks the link he/she will be redirected to an Office 365 login page on a website managed by the attacker. The login page appears identical to the genuine login page utilized by Microsoft; however, any identifications entered on the site will be captured by the attacker.

Safeguarding Against Office 365 Phishing Attacks

Safeguarding against Office 365 phishing campaigns needs a defense in depth approach. Microsoft’s Advanced Threat Protection must be implemented to obstruct phishing electronic mails and avoid them from reaching inboxes, even though this campaign demonstrates that APT controls are not always effective. A better choice is to use a spam filtering/anti-phishing solution that looks deeper than the URL and examines the page/document where users are directed.

Endpoint safety solutions offer an additional safeguard against phishing attacks and web filters can be used to avoid users from visiting phishing websites. However, these technical solutions are not dependable.

New cheats are continuously being developed by cybercriminals that bypass anti-phishing defenses. Workers, therefore, need to be trained on how to identify phishing electronic mails and must be taught cybersecurity best practices. Through regular training, workers can be conditioned on how to react to electronic mail threats and can be changed into a robust last line of defense.

Latest Speedup Linux Backdoor Trojan Used in Widespread Attacks

Safety researchers at Check Point have recognized a new Trojan called Speedup which is being utilized in targeted attacks on Linux servers. The Speedup Linux backdoor Trojan can also be utilized to attack Mac appliances.

The Trojan is installed through abuses of weaknesses via six Linux distributions, including the recently identified ThinkPHP vulnerability, CVE-2018-20062.

The present campaign is targeting Linux appliances in the Philippines, China, India, and Latin America. The Trojan was first noticed in late December, but infections have risen substantially since January 22, 2019. Although the malware is now being acknowledged by numerous AV engines, at the time of analysis, the malware was not being noticed as malevolent.

As soon as fitted, the malware communicates with its C2 server and records the sufferer’s machine. The malware tries to spread laterally within the infected subnet through a variety of RCE weaknesses including CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, the Hadoop YARN Resource Manager command implementation fault, and a JBoss AS 3/4/5/6 RCE weakness.

A Python script is included which checks for additional Linux servers within both internal and external subnets. Access is gained via brute force implies using a pre-defined list of usernames/passwords. Perseverance is achieved through cron and an internal mutex which makes sure only one occurrence remains active at any one time.

The Speedup Linux backdoor Trojan constantly communicates with its C2 and copies and runs a variety of different files, including an XMRig miner. The Trojan, under its C2 control, can run arbitrary code, download and execute files, stop running procedures on an infected host, uninstall programs, and update connected files.

Check Point scientists have attributed the Speakup Linux backdoor Trojan to a danger actor known as Zettabithf.

The complicated nature of the malware indicates it is likely that the objective of the attacker is not just to install cryptocurrency miners. When infected, any number of different malware payloads can be installed. Check Point proposes that more intrusive and aggressive campaigns are likely to be introduced.

Importance of Safety Awareness Training Emphasized by Censuswide Study on Phishing Danger

A fresh study by the consultancy company Censuswide has exposed the extent to which workers are being deceived by phishing electronic mails and how in spite of the danger of a data breaches and regulatory penalties, many companies are not providing safety awareness training to their workforce.

Continue reading “Importance of Safety Awareness Training Emphasized by Censuswide Study on Phishing Danger”