Sutter Health is contacting certain patients to advise them that their protected health information may have been exposed in a phishing attack on the legal firm Salem and Green, one of its business associates.
It is thought that the attack took place on or around October 11, 2017, a phishing email was received by a worker at Salem and Green. The worker responded and, in doing so, allowed the attackers access to their email account. Upon finding out that the attack took place, a forensics firm was brought in to carry out a review of the affected computer and network to determine the nature of the attack and whether any sensitive information had been taken.
The review indicated that the security violation was kept to a sole email account and that access to the account was only possible for a time period of two days. During that time period that the email account was accessible, the cyber attacker had access to all emails in the staff member’s account, some of which incorporated the protected health information of certain Sutter Health subscribers.
The variety of data that may have been accessed by the attacker was kept to names, dates of birth, driver’s license numbers, Social Security credentials, and other identification details.
It could not be completely confirmed that data access and theft took place, not could it be completely ruled out. Sutter Health has said that it believes the chance of data misuse is not high.
In order to be safe, all people that may have been impacted by the incident have been given complimentary credit monitoring and identity theft protection services for a time period of 12 months.
Sutter Health has announced that reports that the legal practice is putting in place safeguard to strengthen security to eliminate the possibility of further breaches of this nature and staff have been provided with security awareness education to assist them identify email threats such as phishing. The legal practice is also putting in place 2-factor authentication measures on every internal email account which will cut out account access from unknown devices or computers.