Medical College of Wisconsin Phishing Attack May Affect Almost 10,500 People

A phishing attack at the Medical College of Wisconsin has lead to the exposure of approximately 9,500 patients’ protected health information. The hackers gained access to the email accounts of staff member, which included a range of private information regarding patients and some faculty employees.

The sort of information in the accessed email accounts included names, addresses, medical record numbers, birth dates, health insurance details, medical histories, treatment details, surgical information, and dates of service. A very limited number of individuals also had their Social Security numbers and bank account information exposed.

The incident occurred over week of July 21-28 2017 when spear phishing emails were broadcast to specific people at the Medical College of Wisconsin. Answering to those emails lead to the attackers gaining access to email login details.

The educational institution contracted in a computer forensics firm to conduct an investigation into the phishing campaign, and while that investigation found that access to the email accounts was gained by unauthorized individuals, it was not possible to rule whether emails containing protected health information had been accessed or seen, or if any sensitive information was taken. Since the cyberattack happened, no reports of illegal use of patient information have been received.

To safeguard individuals from identity theft and fraud, credit monitoring and identity theft restoration services have been offered to breach victims free of charge, but just to those people whose Social Security numbers were taken.

Medical College of Wisconsin remarked that along with some faculty staff and Medical College of Wisconsin patients, some individuals who were provided with treatment at Children’s Hospital of Wisconsin and Froedtert Health have also been harmed by the breach.

The latest Medical College of Wisconsin phishing attack comes roughly 10 months after a similar attack lead to the exposure of 3,200 patients’ protected health information by unauthorized people.