Confluence Health Discovers Phishing Attack Resulted in PHI Exposure

A data breach has been reported by Confluence Health, a non-profit health system managing Wenatchee Valley Hospital and Central Washington Hospital plus other satellite medical centers in Central and North Washington. The breach occurred as a result of an employee responding to a phishing email.

The data breach was detected on May 29, 2018 when suspicious email account activity was identified. A third-party computer forensics firm was called in to conduct a detailed investigation into the breach. That investigation revealed an unauthorized individual gained control of an employee’s email on May 28 and accessed the account the same day and again on May 30.

The compromised email account contained only a limited amount of protected health information. No financial data, Social Security numbers or highly sensitive information was exposed. The breach was limited to patient names and treatment information.

Prior to the phishing attack, Confluence Health had implemented layered security defenses and employees had undergone security awareness training to raise awareness of the threat from phishing. However, on this occasion, those measures were not sufficient to prevent a successful phishing attack.

Even though an unauthorized individual may have viewed PHI, the investigators didn’t uncover proof that the PHI was stolen and Confluence Health has not been notified about any potential misuse of PHI. Confluence Health has now notified all impacted patients about the breach. The breach has prompted the healthcare provider to implement further security controls which will detect suspicious email or network activity faster.

This latest phishing attack is one of many phishing breaches to be reported by healthcare providers in the past two months. Boys Town National Research Hospital, Terteling Co. Inc, Group Benefit Plan, Sunspire Health and Alive Hospice have also discovered email accounts have been compromised as a result of employees responding to phishing emails.