The Ohio Healthcare Provider Aultman Health Foundation has discovered some of its employees have been duped by a phishing attack that resulted in the threat actors behind the campaign gaining access to several email accounts.
A phishing attack was detected on March 28, prompting a full investigation of the breach. The investigation revealed some employees had fallen for the phishing scam in mid-February. Further accounts were then compromised, with access to the affected accounts continuing until late March when a password reset was performed.
The security breach was limited to email accounts and the healthcare provider’s medical record system was not compromised, although the email accounts did contain a range of health and personal information of 42,600 patients of Aultman Hospital, 25 physician practices, and employees and prospective employees who had previously been tested by the AultWorks occupational medicine division.
Individuals who had been assessed by the AultWorks occupational medicine division had information such as medical histories, hearing and breathing test information, physical examination information, and demographic information exposed, and in some cases, Social Security numbers and driver’s license numbers. SSNs and driver’s license numbers were only exposed for individuals whose employers shared that information with the occupational medicine division, such as those who use SSNs to identify specific individuals. Individuals whose SSN or driver’s license number was potentially compromised have been offered a year of credit monitoring services without charge.
There has been a spate of phishing attacks on healthcare organizations in the United States in recent months, with several attacks resulting in data breaches. These attacks highlight the need for healthcare providers to improve anti-phishing defenses, including the use of additional technological controls such as spam filters and behavioral monitoring systems as well as providing regular security awareness training to help employees detect potentially malicious emails and to eradicate risky behaviors.
In addition to performing a password reset, Aultman Health Foundation has provided further training to staff to improve resilience to phishing attacks, added new security features to email accounts, and restrictions have been put in place to ensure employees can only set complex passwords. The delay between the attack and its discovery has also prompted Aultman Health foundation to improve its security monitoring procedures.