In the US, Wise Health in Texas has begun reaching out to potential victims of a suspected data breach, informing them that their personal health information may have been exposed following a phishing attach. It is believed the breach may impact upon almost 67,000 patients.
The attack occurred on March 14, 2019, Wise Health says. Several employees received phishing emails and some responded and disclosed their account credentials. The credentials were then used to gain access to the Employee Kiosk, where the attacker(s) attempted to reroute payroll direct deposits. Attempts were made to redirect approximately 100 direct deposit payments.
Wise Health had policies in place that require a paper check to be printed for two successive payrolls following a change to direct deposit information. The checks were printed in the payroll on April 5, 2019 and the unusually high number of checks raised the alarm, thanks to the two-check policy. A system-wide password change was immediately performed to lock out the attackers and two third-party forensic firms were hired to investigate the breach. The breach was also reported to the FBI.
The sole purpose of the attack appears to have been to reroute direct deposits, although the stolen credentials would have allowed access to be gained to employee email accounts. Those accounts contained patients’ names, medical record numbers, diagnostic information, treatment information, and health insurance information.
Wise Health System does not believe PHI was accessed by the attackers and there have been no confirmed reports that patient information has been misused. Both forensics firms and the FBI share that point of view. The investigators all agreed they have never seen a direct deposit attack such as this where the attackers have stolen patient data. These gangs specialize in direct deposit fraud. The attackers in this case were traced to Africa by the FBI, which has now closed its investigation.
A data audit was completed to determine the scope and nature of the information potentially compromised, which began in June 2019 and was recently completed. Since unauthorized PHI access and data theft could not be ruled out, to ensure patients are protected, notification letters were sent on February 13, 2020, and affected patients have been offered between twelve and twenty four (12-24) months of complimentary membership to ID Experts MyIDCare service, which includes credit monitoring, identity theft recovery, and insurance coverage.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/