NCH Healthcare System is preparing to notify patients that their protected health information may have been compromised in a phishing attack.
On June 14, 2019, NCH Healthcare System, based in Bonita Springs, Florida, noticed suspicious email activity on its payroll database.
NCH immediately investigated the incident and discovered that 73 employees had replied to a phishing email and therefore had disclosed their account credentials to unauthorized individuals.
NCH Healthcare system is still in the process of investigating the attack. They have hired a third-party computer forensics company to assist with the investigation and determine the scope of the breach.
The early findings of the investigation suggest that the primary aim of the hackers was not to obtain PHI. The hackers appear to have been financially motivated and hacked the email accounts to attempt to redirect payroll payments.
The forensic team revealed on July 2, 2019, that some patient information was breached due to the attack. However, as the investigation is ongoing, no statement has been made on the types of information that were potentially infiltrated.
NCH has stated that they are still identifying patients who may have been affected by the breach. All impacted patients will be sent breach notification letters once the investigation comes to a close.
Considering the size of the breach and the sheer number of email accounts affected, it could take some time to identify all affected patients. NCH has warned that the investigation could run for some time yet given the number of individual emails in each compromised accounts that need to be reviewed to determine whether they include protected health information.
NCH compliance officer Kelly Daly revealed that the security measures put in place before the phishing attack limited the harm caused. Without those measures in place, she claimed that the scam could have also tricked more of the company’s 5,000 staff members.
NCH has yet to uncover any evidence to suggest that the hackers have stolen, copied, or improperly used patient PHI. NCH has advised patients to monitor their explanation of benefits statements and accounts for evidence of identity theft and other misuses of their data.
Usually, healthcare organizations investigate suspicious activity on an email account and later find out that the attack was more extensive than first thought. In many cases, after the first compromised account is noticed, the organization realizes that the hacker infiltrated many more accounts using the same phishing scheme.
This breach is unusually large; a hacker accessing 73 email accounts in a single organization is highly unusual. This case highlights the importance of adequately training employees on the dangers of phishing emails and how to spot and deal with them appropriately.