A new attack on healthcare data has been reported in Gary, Indiana, involving a phishing campaign that possibly exposed medical and personal information of 68,039 patients of Methodist Hospitals, Inc. (Methodist).
Methodist conducted an investigation after discovering unusual activity in an employee’s email account in June 2019. By August 7, 2019 they were able to determine that two of its employees had fallen victim to a phishing campaign that gave an unknown threat actor unauthorized access to their email accounts. One account was accessed on June 12 and from July 1 to July 8, 2019, while the other account was accessed between March 13 and June 12, 2019.
Following this discovery, they set out to check the information contained in the two compromised email accounts. According to the report released by Methodist, these include a trove of personal and medical information that included lists of health insurance subscribers, Social Security numbers, driver’s license/state identification numbers, passport numbers, financial account numbers, and medical record numbers.
Methodist has yet to see evidence that the exposed information is being actively used for illicit activities, and have taken steps to keep their patients informed. They identified the affected patients and notified them of the incident. They have also coordinated with state and federal regulators.
Data breach and healthcare
Healthcare institutions, along with financial, government, and educational institutions, carry a trove of sensitive information that are not limited to medical data, making them a prime target for data breaches. These incidents also illustrate how sensitive information can be exposed from unexpected sources. Sensitive information could also be contained in healthcare software interfaces, which could in turn be unknowingly exposed online, as seen in a research conducted by Trend Micro on connected hospitals in 2018.
Consequently, exposed information, expose users to considerable risks as it could be used for other malicious activities such as identity theft, and extortion (in cases where a patient’s medical condition requires confidentiality).
To prevent such incidents, healthcare institutions should frequently review their security architecture and policies, especially those that surround their held data. Healthcare institutions should also take into account the security risks that could come from implementing technologies like the internet of things (IoT) and be prepared for other forms of cyberattacks.
Organizations can take steps to defend against similar attacks and prevent data breach incidents through these best practices:
Map where data is being collected, stored, and processed. This step also includes being able to identify the organization's mission-critical assets, which need the most protection.
Create a culture of security and implement policies that everyone in the company understands. A culture of security can help prevent the success of social engineering, BEC attacks, and phishing campaigns.
Employ data minimization. This involves gathering only the data needed to fulfill specific functions.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).