Series of Phishing Attacks on Healthcare Organizations Sees 90,000 Files Displayed


The past few weeks have seen a substantial increase in successful phishing attacks on healthcare companies. In a little more than four weeks, there have been 10 main electronic mail hacking occurrences informed to the Division of Health and Human Services’ OCR, each of which has led to the disclosure and possible theft of more than 500 healthcare files. Those ten occurrences alone have seen nearly 90,000 healthcare files undermined.

Latest Electronic mail Hacking and Phishing Attacks on Healthcare Companies

HIPAA-Protected Unit Files Disclosed
Inogen Inc. 29,529
Knoxville Heart Group 15,995
USACS Management Group Ltd 15,552
UnityPoint Health 16,429
Texas Health Physicians Group 3,808
Scenic Bluffs Health Center 2,889
ATI Holdings LLC 1,776
Worldwide Insurance Services 1,692
Billings Clinic 949
Diagnostic Radiology & Imaging, LLC 800
The Oregon Clinic Undisclosed


Up to now this year there have been three data breaches involving the hacking of electronic mail accounts that have disclosed over 30,000 files. Organization for Health Care Administration experienced a 30,000-record breach in January, ATI Holdings, LLC experienced a breach in March that led to the disclosure of 35,136 files, and the biggest electronic mail hacking occurrence of the year impacted Onco360/CareMed Specialty Pharmacy and affected 53,173 patients.

Wombat Security’s 2018 State of the Phish Report disclosed three-quarters of companies suffered phishing attacks in 2017 and 53% experienced a targeted attack. The Verizon 2017 Data Breach Probes Report, issued in May, disclosed 43% of data breaches involved phishing, and a 2017 survey carried out by HIMSS Analytics on behalf of Mimecast disclosed 78% of U.S healthcare suppliers have suffered a successful electronic mail-related cyberattack.

How Healthcare Companies Can Improve Phishing Fortifications

Phishing aims the weakest link in a business: Workers. It, therefore, stands to reason that among the best fortifications versus phishing is improving safety consciousness of workers and training the staff on how to identify phishing attempts.

Safety consciousness training is a condition under HIPAA (45 C.F.R. § 164.308(a)(5)(i)). All members of the staff, including management, should be trained on safety dangers and the risk they pose to the business.

“A company’s training program must be a continuing, evolving procedure and flexible enough to teach staff members on new cybersecurity dangers and how to react to them,” proposed OCR in its July 2017 cybersecurity newsletter.

HIPAA doesn’t specify how often safety consciousness training must be provided, even though ongoing plans including a variety of training methods must be taken into account. OCR points out several healthcare companies have chosen for bi-annual training accompanied by monthly safety updates and newsletters, even though more frequent training periods might be suitable depending on the level of danger faced by a business.

A blend of classroom-based periods, CBT training, newsletters, electronic mail alerts, pictures, team deliberations, questions, and other training methods can help a business develop a safety culture and significantly decrease vulnerability to phishing attacks.

The dangerous situation is constantly altering. To keep abreast of new dangers and cheats, healthcare companies must consider signing up with threat intelligence facilities. Warnings about new methods that are being used to distribute hateful software and the latest social engineering tricks and phishing cheats can be conveyed to workers to increase consciousness of new dangers.

Besides training, technological safeguards must be applied to decrease risk. Advance antivirus solutions and anti-malware defenses must be positioned to spot the installation of hateful software, while intrusion detection systems can be used to quickly recognize doubtful network activity.

Electronic mail safety solutions such as spam filters must be used to restrict the number of possibly hateful electronic mails that are delivered to end users’ inboxes. Solutions must examine inbound electronic mail attachments using multiple AV engines, and be arranged to isolate electronic mails containing possibly harmful file types.

Inserted URLs must be checked at the point when a user clicks. Attempts to access known hateful websites must be obstructed and an examination of unidentified URLs must be carried out before access to a webpage is allowed.

Phishing is extremely lucrative, attacks are frequently successful, and it remains among the easiest methods to gain a foothold in a network and gain access to PHI. As such, phishing will remain among the biggest dangers to the secrecy, integrity, and availability of PHI. It is up to healthcare companies to make it as problematic as possible for the attacks to succeed.