NCH Healthcare System Phishing Attack Impacts 73 Email Accounts

by Ryan Coyne | Sep 2, 2019

A phishing attack on Bonita Springs, FL-based NCH Healthcare System was noticed on June 14, 2019 when suspicious email activity on its payroll database.

The investigation indicated that 73 employees had replied to phishing emails and disclosed their account credentials to the cybercriminals.

It is typical for healthcare organizations to identify an email account breach and later find out that the attack was more extensive than first thought. In a lot of cases, many email accounts are discovered to have been compromised, often due to lateral phishing – the use of one impacted email account to send phishing emails to other individuals in the group. However, a breach as thorough as this is fortunately unusual.

NCH Healthcare system is still reviewing the attack and is being helped by a third-party computer forensics company. The early findings of the investigation suggest the attackers were not focusing on obtaining PHI, instead the aim of the hackers appears to have been to redirect payroll payments.

The forensic team revealed on July 2, 2019 that some patient information was breached due to the attack, but as the investigation is still current, at this stage no confirmation has been issued on the types of information that were potentially infiltrated. Impacted persons will be made aware when the investigation has come to a close.

The investigation could run for some time yet given the extent of the breach and the number of emails in the compromised accounts that need to be reviewed to determine whether they include protected health information.

NCH compliance officer Kelly Daly revealed that the security measures put in place before the phishing attack limited the harm caused. Without those measures in place, more of the company’s 5,000 staff members could also have been tricked by the scam.

No reports have been submitted so far to indicate that patients’ PHI has been improperly used, but patients are being warned to monitor their explanation of benefits statements and accounts for evidence of identity theft and other misuses of their personal data.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter