Legacy Health Says Phishing Attack Breaches Thousands of Patient Records

Source: n0where.net

Advancements in technology over the years have been looked upon as being both good and bad; the creation of the internet can be viewed as a good thing since information can be obtained at a quick pace but also being bad as hackers continue to exploit it for their own personal gain.  Sadly, it seems that reports of someone, a business or an institution has had their security being breached by hackers and healthcare seems to be a prime target.  One example of this is a recent report that Legacy Health had to inform thousands of patients that their records might have been compromised during a phishing attack breach.

Source: hipaajournal.com

What is a Phishing Attack?

Considering we live in a society today where cyber-attacks have sadly become the norm, people can sometimes confuse one type of a hack versus another.  Ransomware, for example, is a cyber- attack where the target’s system is locked down and the only way to gain access again is to pay the hacker a ransom fee.  While phishing is another form of a cyber-attack, the goal of the hacker is different.

Cyber-attacks that involve phishing relates to a fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.  According to Legacy Health, this was they type of cyber-attack that they fell victim to.

Source: healthcareitnews.com

Patients are Notified About the Breach

According to writer Jessica Davis of Healthcare IT News, Legacy Health became the latest victim of a cyber-attack that involved phishing and the result was a breach that possibly compromised the personal data of 38,000 patients.  Although Legacy Health posted a notification on their website that warned patients of the breach on August 20th, the notice says that they learned of the unauthorized access on June 21st of this year; however, the actual date that this action occurred on was a month prior in May.

The health system decided to employ a third-party forensic firm to assist with their investigation.  The determination by officials was that besides the unauthorized access of some employee accounts, the breach included patient data such as medical data, email accounts, billing details, demographic information, health insurance information, dates of birth and, for some patients, driver’s licenses and Social Security numbers. 

All the patients that were impacted received one year of monitoring for free and Legacy Health said it is implementing additional access restrictions.  Further details were not provided.

Health Systems are Vulnerable to Phishing Attacks

The phishing attack against Legacy Health is sadly not an isolated incident.  They are just the latest example of a health system being breached by a phishing attack this year.  Actually, the most recent Protenus Breach Barometer discovered that phishing attacks became the greatest cyber threat of 2018’s second quarter.

Four organizations in July alone reported breaches that involved a phishing attack, which the largest breach was 1.4 million records of patients at UnityPoint Health.  What makes matters more alarmingly is that this was the second breach of the health system by a phishing attack in 2018.

Source: hipaajournal.com

Fortunately, there are ways to combat phishing attacks that organizations have found effective.  This begins with educating staff on what to avoid doing that would leave the door opened for a phishing attack.  Many organizations are finding success in testing the awareness of their employees through phishing simulations while monitoring one’s network is critical in finding abnormal user behavior or access.