The exposure of approximately 9,500 patients’ protected health information at the Medical College of Wisconsin has been caused by a phishing attack. The attackers were able to gain access to several staff members’ email accounts, which included a variety of sensitive information of patients and some faculty employees.
The types of data in the accessed email accounts included names, addresses, medical record numbers, dates of birth, health insurance details, medical diagnoses, treatment details, surgical information, and dates of service. A very small number of people also had their Social Security numbers and bank account information accessed.
The incident happened over the space of a week in the summer between July 21 and July 28 when spear phishing emails were transmitted to specific individuals at the Medical College of Wisconsin. Reacting to those emails resulted in the attackers gaining access to email login details.
Medical College of Wisconsin hired a computer forensics firm to complete an investigation into the phishing attack, and while that investigation discovered that access to the email accounts was gained by unauthorized people, it was not possible to determine whether emails with protected health information had been accessed or viewed, or if any sensitive information was obtained. Since the attack happened, no reports of misuse of patient information have been filed.
To protect people from identity theft and fraud, credit monitoring and identity theft restoration services have been provided for breach victims free of charge, but only to those people whose Social Security numbers were accessed.
Medical College of Wisconsin revealed that in addition to some faculty employees and Medical College of Wisconsin patients, some people who received treatment at Children’s Hospital of Wisconsin and Froedtert Health have also been affected by the breach.
The most recent Medical College of Wisconsin phishing attack comes just 10 months following a similar incident resulted in the accessing of 3,200 patients’ protected health information.