Health First Phishing Attack Affects 42,000 Clients

Health First Inc., a four-hospital Florida-based health system, suffered a hacking/IT occurrence earlier this year that was informed to the Division of Health and Human Services’ Office for Civil Rights on October 5. As per the OCR breach summary, 42,000 clients were affected by the breach. Additional information has now been issued on the type of the breach.

As per Health First, the electronic mail accounts of several workers were undermined in the phishing attack. The disclosed protected health information was contained in the undermined electronic mail accounts. The electronic medical record system was unchanged by the attack.

An inquiry into the breach disclosed the attackers first gained access to worker electronic mail accounts in February 2018. Those electronic mail accounts were used to carry out more phishing attacks on other Health First workers until May 2018.

As per Health First, the attackers gained access to “a small number” of worker electronic mail accounts. The undermined electronic mail accounts had a limited amount of protected health information such as names, birth dates, addresses, and even though some persons’ Social Security numbers were also exposed. No medical information or financial information was undermined.

A forensic analysis was carried out to decide the type of the breach and the persons impacted. Based on that analysis, Health First doesn’t think the attackers were interested in viewing electronic mails or getting protected health information. The attackers just seemed to be interested in undermining more electronic mail accounts to carry out more phishing scams. The analysis indicated just a small number of electronic mails were accessed by the attackers.

Upon discovery of the breach, Health First altered the passwords on all undermined electronic mail accounts to avoid any additional access and new safety measures have now been applied.

All affected patients have been informed of the breach by post and offered AllClear ID identity theft checking and repair facilities for 12 months without charge.