A phishing attack on the Portland, Oregon-based healthcare provider, Legacy Health, has resulted in the exposure and possible theft of 38,000 patients’ protected health information.
The phishing attack was detected on June 21, although an investigation into the security breach revealed that access had first been gained to some employees’ email accounts several weeks earlier in May.
An analysis of the compromised email accounts revealed they contained information such as patients’ names, dates of birth, demographic information, health insurance details, billing information, and for certain patients, their Social Security number and/or driver’s license number.
It is not known whether the emails in the account were downloaded by the attackers during the time that access was possible. At the time of issuing the breach notice, no reports had been received by Legacy Health to suggest any PHI had been misused.
However, since the possibility of data theft could not be ruled out, all patients whose Social Security number or driver’s license number was present in one of the compromised accounts have been offered complimentary credit monitoring services for 12 months.
To prevent further breaches of this nature, additional access restrictions have been placed on email accounts used by the company.
Defending against phishing attacks requires a combination of security solutions. Spam filtering technology can reduce the likelihood of phishing emails reaching employees’ inboxes. Web filters block access to known phishing websites and 2-factor authentication makes the remote accessing of email accounts harder if login credentials are obtained in an attack.
In addition to technological controls such as these, all employees should receive security awareness and anti-phishing training. When training is coupled with phishing simulation exercises, susceptibility to phishing attacks can be reduced by up to 95%.