A phishing attack at Main Line Endoscopy Centers has compromised the sensitive data of over 14,000 patients.
Main Line Endoscopy Centers, a network of outpatient endoscopy facilities in the Malvern, Bala Cynwyd, and Media regions of Pennsylvania discovered the attack on January 30, 2019. Investigators were unable to determine when the attacker first gained access to the account.
The attacker appears to have gained access to the email account through a phishing attack. Phishing campaigns pose a severe threat to the healthcare industry, as it only takes one employee in an organisation to fall for a phishing campaign for the entire network to be compromised. Healthcare data has a substantial black-market value due to its potential use in fraud, so healthcare organisations are potentially lucrative targets for hackers.
Main Line Endoscopy Centers contracted a third-party computer forensics firm to assist with determining if the attacker had accessed any of the emails in the account and whether any patient information had been compromised. The investigators concluded that it was possible that the attacker had accessed the PHI of certain patients. The information that may have been compromised included names, dates of birth, and limited clinical information. Some patients also had their Social Security number, driver’s license number, or health insurance information exposed.
Following HIPAA’s Breach Notification Rule, Main Line Endoscopy Centers sent breach notification letters on March 29, 2019, to all affected patients. Out of an abundance of caution, the facility has offered all individuals whose Social Security number or driver’s license number were exposed have been offered complimentary identity theft protection services for 12 months, as these patients are most at risk of fraud.
All individuals affected by the breach have been advised to monitor their accounts, explanation of benefits statements, and credit reports carefully for any sign of fraudulent use of their information.
Main Line has provided further HIPAA compliance training to all staff to improve email security awareness to mitigate the risk of another successful phishing attack occurring.
Multi-factor authentication has been implemented to prevent accounts from being accessed if further credentials are compromised along with other security measures.
Main Line reported the breach to the Department of Health and Human Services’ Office for Civil Rights. The OCR breach portal indicates that 14,305 patients were affected by the breach.