June 22, 2018
Two HIPAA-protected units have recently revealed they have been sufferers of phishing attacks that have possibly led to the disclosure of patients’ protected health information (PHI).
Additional Phishing Attack Reported by Florida Organization for People with Infirmities
The Florida Agency for Persons with Disabilities (FAPD), which provides support facilities for people with infirmities such as autism, spina bifida, cerebral palsy, and Downs syndrome, has suffered one more phishing attack
The phishing attack happened on April 10, 2018 and was restricted to a single electronic mail account; nevertheless, that account had the PHI of 1,951 customers or custodians.
While no proof was found to indicate any PHI was seen or copied by the attacker, PHI access might not be ruled out with 100% confidence. The undermined electronic mail account had information such as names, health information, telephone numbers, addresses, birth dates, and Social Security numbers.
All patients have now been informed of the breach and have been offered credit checking facilities for a year without charge.
Three days following the attack, FAPD applied a safety upgrade to avoid illegal people from retrieving its electronic mail system and additional training on electronic mail safety procedures was provided.
This is not the first phishing attack to be informed by the organization in 2018. In February, a more widespread phishing attack happened that led to several electronic mail accounts being undermined. That phishing attack affected over 55,000 customers, whose names, birth dates, and Social Security numbers were possibly undermined.
After the February attack, FAPD said it had applied multi-factor verification to avoid illegal retrieving of its electronic mail accounts and provided additional training for workers on electronic mail safety procedures.
Patients Alerted of Black River Medical Center Phishing Attack
Poplar Bluff, MO-based Black River Medical Center is warning some of its patients that their PHI has possibly been retrieved by an illegal person.
On April 23, 2018, a reply to a phishing electronic mail let a hacker to gain access to the electronic mail account of a single worker. The electronic mail account had a restricted amount of protected health information, however, not Social Security numbers or financial information. The breach was restricted to names, phone numbers, addresses, and in some instances, treatment information.
The inquiry verified that the occurrence was restricted to the electronic mail account and no other systems were affected. No proof was found to indicate any PHI was retrieved, obtained, or abused by the attacker.
Patients were alerted of the occurrence on June 13, 2018, and a notification was displayed on the healthcare provider’s website. The breach has yet to appear on the Division of Health and Human Services’ OCR breach portal, therefore it is presently not clear precisely how many patients have been impacted.