90,000 Health Records Exposed Due to Phishing Attacks on Healthcare Organizations

Cybersecurity

The number of successful phishing attacks on healthcare organizations has increased in the past few weeks. In just four weeks, the Department of Health and Human Services’ Office for Civil Rights received 10 major email hacking incident reports with a total of about 90,000 health records exposed. Each of the incidents had exposed the PHI of more than 500 people leaving it to potential theft.

Here’s the list of recent breach incidents on healthcare organizations:

HIPAA-Covered Entity Records Exposed
Inogen Inc. 29,529
Knoxville Heart Group 15,995
USACS Management Group Ltd 15,552
UnityPoint Health 16,429
Texas Health Physicians Group 3,808
Scenic Bluffs Health Center 2,889
ATI Holdings LLC 1,776
Worldwide Insurance Services 1,692
Billings Clinic 949
Diagnostic Radiology & Imaging, LLC 800
The Oregon Clinic Undisclosed

This year, three data breaches caused by hacking of email accounts resulting to the exposure of over 30,000 health records each have already been reported. The organizations affected were:

  • Agency for Health Care Administration – 30,000-record breach in January
  • ATI Holdings, LLC – 35,136-record breach in March
  • Onco360/CareMed Specialty Pharmacy – 53,173-record breach

According to Wombat Security’s 2018 State of the Phish Report, ¾ of organizations had been hit with phishing attacks in 2017 and 53% of which were targeted attacks. The Verizon 2017 Data Breach Investigations Report published in May said that 43% of data breaches were due to phishing. Another study conducted by HIMSS Analytics together with Mimecast showed that 78% of U.S healthcare providers had been attacked successfully via email hacking.

In view of the above statistics, how can healthcare organizations improve their phishing defenses? Phishing attacks target the employees in an organization. Hence, the best way to defend against phishing attacks is to train employees to recognize phishing attempts and have a better sense of security. The HIPAA actually requires the security awareness training of the workforce. It should be ongoing and evolving to address new cybersecurity threats.

Although there’s no frequency of security awareness training specified by the HIPAA, a healthcare organization should consider an ongoing security training program. A bi-annual training with monthly security updates is recommended. More frequent training may be adopted depending on the organization’s level of security risk. Different training techniques may be used including classroom sessions, team discussions, CBT training, email alerts, newsletters and posters.

The healthcare organization should also consider signing up with threat intelligence services to stay up-to-date with new threats and scams. It will provide knowledge of new techniques to address malicious software or phishing scams that your organization can implement or just be aware of.

The organization should also implement technological safeguards to minimize security risks such as:

  • Anti-virus and anti-malware solutions to detect malicious software and suspicious network activities
  • Spam filters to limit the malicious emails delivered to inboxes and quarantine emails with harmful attachments
  • URL/Link checkers to analyze unknown URLS before allowing access to the linked webpage

Phishing attacks will most likely continue to be around because of the immense success hackers had in accessing network and PHI. So, healthcare organizations need to do its job to make email hacking and phishing difficult for attackers.