NCH Healthcare System Phishing Attack Impacts 73 Email Accounts

by | Sep 2, 2019

A phishing attack on Bonita Springs, FL-based NCH Healthcare System was noticed on June 14, 2019 when suspicious email activity on its payroll database.

The investigation indicated that 73 employees had replied to phishing emails and disclosed their account credentials to the cybercriminals.

It is typical for healthcare organizations to identify an email account breach and later find out that the attack was more extensive than first thought. In a lot of cases, many email accounts are discovered to have been compromised, often due to lateral phishing – the use of one impacted email account to send phishing emails to other individuals in the group. However, a breach as thorough as this is fortunately unusual.

NCH Healthcare system is still reviewing the attack and is being helped by a third-party computer forensics company. The early findings of the investigation suggest the attackers were not focusing on obtaining PHI, instead the aim of the hackers appears to have been to redirect payroll payments.

The forensic team revealed on July 2, 2019 that some patient information was breached due to the attack, but as the investigation is still current, at this stage no confirmation has been issued on the types of information that were potentially infiltrated. Impacted persons will be made aware when the investigation has come to a close.

The investigation could run for some time yet given the extent of the breach and the number of emails in the compromised accounts that need to be reviewed to determine whether they include protected health information.

NCH compliance officer Kelly Daly revealed that the security measures put in place before the phishing attack limited the harm caused. Without those measures in place, more of the company’s 5,000 staff members could also have been tricked by the scam.

No reports have been submitted so far to indicate that patients’ PHI has been improperly used, but patients are being warned to monitor their explanation of benefits statements and accounts for evidence of identity theft and other misuses of their personal data.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy