Kaleida Health has announced an employee has fallen for a phishing scam that resulted in the protected health information of 744 patients being exposed, and potentially obtained by an unauthorized individual.
The phishing attack occurred on June 26, 2017 and resulted in access being gained to the employee’s email account. The email account contained a range of protected health information including names, medical record numbers, diagnoses, treatment information, and other clinical data. Some patients Social Security numbers were also exposed.
Patients affected by the phishing attack were notified of the privacy breach on August 25. Even though their information may not have been accessed or obtained, credit monitoring services have been offered out of an abundance of caution. Kaleida Health reports that no evidence of misuse of patients’ information has been received.
Occasional phishing attacks can be expected, although for Kaleida Health this attack occurred a month after a similar attack resulted in the PHI of 2,800 patients potentially being exposed. The first attack occurred on May 24, 2017 and resulted in a similar range of information being exposed, although in that case, no Social Security numbers were compromised.
Following the attacks, Kaleida Health will be enhancing security measures to prevent further phishing-related breaches.
Protected health information is highly valuable as it can be used for a wide range of malicious purposes and phishing attacks on healthcare providers are common. It is therefore essential that healthcare organizations implement defenses against phishing attacks.
Technology can help to prevent phishing emails from being delivered to inboxes as can be used to block access to phishing websites, although no solution will be 100% effective, 100% of the time. It is therefore essential for healthcare employees to be trained how to identify phishing scams. Not only will this help to prevent data breaches, it is also a requirement of HIPAA.
Security awareness training should be an ongoing process. At least bi-annual training sessions should be provided to healthcare employees, along with regular bulletins and newsletters to keep security forefront in the mind and to alert employees to the latest threats. Phishing simulation exercises are also a useful way to reinforce training and give employees practice at identifying phishing emails in a safe environment.
Employees are a weakness in security defenses, although training can turn healthcare employees into a strong last line of defense against phishing attacks.