A recent Bronson Healthcare Group phishing attack has resulted in a hacker gaining access to the protected health information (PHI) of 8,256 patients.
The attack allowed the hacker to gain access to the health system’s email system, which contained the names, medications, and treatment information of patients. No Social Security numbers or patients’ financial information was compromised, and its electronic medical record system was not compromised.
In total, the email accounts of five employees were compromised over a period of 15 days. While patients’ PHI was potentially compromised in the attack, Bronson Healthcare Group reports that the aim of the attackers was not to obtain patient information, instead, the primary focus of the attack appears to have been to gain access to login credentials to its employee payroll system.
In that regard, the attack succeeded. After gaining access to the payroll system, the attacker managed to divert at least one employee payment to an unauthorized account. Bronson Healthcare Group have absorbed the losses and no employees are out of pocket as a result of the attack.
Bronson Healthcare Group brought in external cybersecurity professionals to investigate the breach and determine the nature and full scope of the attack. The investigation determined that only one of the compromised email accounts contained PHI. However, it was not possible to determine whether emails containing PHI were opened and if any information was downloaded. No reports of misuse of patient information have been reported to date.
The attackers certainly had plenty of time to peruse emails in the compromised accounts. According to the breach notification letters sent to patients, the Bronson Healthcare Group phishing attack took place between June 12 and June 27, 2017, but the security breach was not discovered until November. Patients were notified of the potential breach of their PHI on December 5, 2017.