
A phishing attack on Bonita Springs, FL-based NCH Healthcare System was noticed on June 14, 2019 when suspicious email activity on its payroll database.
The investigation indicated that 73 employees had replied to phishing emails and disclosed their account credentials to the cybercriminals.
It is typical for healthcare organizations to identify an email account breach and later find out that the attack was more extensive than first thought. In a lot of cases, many email accounts are discovered to have been compromised, often due to lateral phishing – the use of one impacted email account to send phishing emails to other individuals in the group. However, a breach as thorough as this is fortunately unusual.
NCH Healthcare system is still reviewing the attack and is being helped by a third-party computer forensics company. The early findings of the investigation suggest the attackers were not focusing on obtaining PHI, instead the aim of the hackers appears to have been to redirect payroll payments.
The forensic team revealed on July 2, 2019 that some patient information was breached due to the attack, but as the investigation is still current, at this stage no confirmation has been issued on the types of information that were potentially infiltrated. Impacted persons will be made aware when the investigation has come to a close.
The investigation could run for some time yet given the extent of the breach and the number of emails in the compromised accounts that need to be reviewed to determine whether they include protected health information.
NCH compliance officer Kelly Daly revealed that the security measures put in place before the phishing attack limited the harm caused. Without those measures in place, more of the company’s 5,000 staff members could also have been tricked by the scam.
No reports have been submitted so far to indicate that patients’ PHI has been improperly used, but patients are being warned to monitor their explanation of benefits statements and accounts for evidence of identity theft and other misuses of their personal data.