Perry County Medical Center, Inc. d/b/a Three Rivers Community Health Group, has announced that it is notifying patients following a phishing attack which saw patient data compromised.
Perry Country Medical Center, a health care centre based in Linden, Tennessee, noticed suspicious activity on an employee email account on May 28, 2019. The IT department were quickly notified, and it was discovered that an unauthorized individual had gained access to the employee email account after the employee had responded to a phishing email.
The organization contacted experts in cybersecurity assist with the aftermath of the breach. Following an investigation into the compromised email account, the experts discovered the employee’s email account contained a spreadsheet which contained a large quantity of patient information. This information included names, dates of birth, dates of service, physicians’ names, prescription information, health insurance group, and ID numbers may have been accessed. The hacker could not access financial information or Social Security numbers.
According to Perry Country Medical Center’s website, they collected the health information in through a 340B drug pricing program run by the federal government which ‘requires prescription drug manufacturers to provide outpatient drugs to certain health care organizations at a reduced cost’.
The cybersecurity experts did not find evidence to suggest that hackers accessed, altered or exfiltrated patient data. As of writing, Perry Country Medical Center has yet to uncover any instances of identity theft or misuse of PHI.
As neither financial information nor Social Security numbers were affected by the breach, the patients are at low risk of becoming victims of fraud. However, Perry Country Medical Center still treated the incidence as a data breach and are following HIPAA’s Breach Notification Rule by sending all affected patients notification letters once all affected individuals have been identified.
Furthermore, out of an abundance of caution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services.
The attack has prompted a review of privacy and security controls. Perry Country Medical Center has stated that they intend to enhance its cybersecurity framework by implementing measures to enhance email security.
Perry Country Medical Center have not released a figure for the number of patients affected by the breach.
Healthcare information has a high black market value, and therefore, even small or medium-sized healthcare organizations are potentially lucrative targets to hackers. It only takes a single employee falling for a phishing campaign for a network to be compromised and for patient information to be placed at risk. Extensive employee HIPAA compliance training is needed to mitigate the risk of a phishing attack being successful.