Sutter Health is alerting a number of clients that some of their protected health information may have been accessed in a phishing attack on one of its business associates – the Salem and Green legal firm.
On approximately October 11, 2017, a phishing email was opened by an employee at Salem and Green, the reply to which gave the attackers access to that worker’s email account. Upon identifying the attack, a forensics firm was hired to carry out an analysis of the affected computer and network to find the extent of the attack and whether any sensitive information had been downloaded.
The investigation showed the security breach was restricted to a single email account and that access to the account was only open for two days. During the time that the email account was accessible, the attacker could view all emails in the account, some of which contained the protected health information of specific Sutter Health patients.
The sort of information possibly seen by the hacker was restricted to names, dates of birth, driver’s license numbers, Social Security numbers, and other professional ID details.
Outright evidence of data access was not found, although it was also not possible to eliminate data access/theft with a high degree of certainty. Sutter Health believes the risk of data misuse is minimal.
As a precautionary measure, all those impacted by the incident have been offered free credit monitoring and identity theft protection services for one year.
Sutter Health has announced that the legal firm has begun to enhance security to prevent more breaches of this nature and staff have been given security awareness training to help them spot email threats including phishing. The legal firm has also now put in place 2-factor authentication controls on all employee email accounts which will stop account access from unknown sources.