Phishing is the most common method used by cybercriminals to attack businesses, especially those in healthcare. Barely a day goes by without a breach report being submitted to the Department of Health and Human Services’ Office for Civil Rights involving email accounts compromised due to phishing attacks. Here we list some examples of phishing attacks on healthcare organizations that have resulted in data breaches, financial penalties, and lawsuits. Many of the examples of phishing attacks included below could have been prevented had low-cost solutions been implemented.
The examples of phishing attacks below have proven to be extremely costly to resolve, with some resulting in losses of more than 100 million dollars and serious damage being caused to the reputations of the organizations.
The largest and costliest healthcare data breach in history occurred at Anthem Inc. in February 2014 but was not detected for a year. Malware was installed on the network that gave a nation state threat actor access to the protected health information of 78.8 million health plan members. Mandiant investigated the cyberattack and determined it most probably was due to an employee at an Anthem subsidiary opening a phishing email, which saw malware downloaded. Anthem Inc. was investigated and was fined $16 million by the Office for Civil Rights and a multi-state action was settled with state attorneys general for $48.2 million. Anthem settled a class action lawsuit with breach victims for $115 million.
The health insurer Premera Blue Cross also reported a major data breach in 2015, which involved the personal information of around 10.4 million individuals. As with the attack on Anthem Inc, the initial access to its network occurred in 2014 and was again the result of phishing emails sent to employees that installed malware, with the attack and malware infection going undetected for around 9 months. The Office for Civil Rights fined Premera Blue Cross $6,850,000 over the incident, Premera settled a multi-state action for $10,000,000, and a class action lawsuit for $74 million.
This is one of the examples of phishing attacks in healthcare where the failure to implement appropriate measures to block phishing attacks has proven costly. In 2017, UnityPoint Health suffered a phishing attack in which attackers gained access to email accounts containing the protected health information of 16,429 individuals. Steps were apparently taken to improve email security, yet a year later between March and April 2018, the healthcare organization was targeted again and this time the data of over 1.4 million patients was compromised. The second attack was conducted to divert payroll and vendor payments.
In 2021, University of San Diego Health was the victim of a phishing campaign that saw several employee email accounts compromised, which give the attackers access to sensitive patient, student, and employee information. The information of
495,949 individuals was compromised in the attack, and the attack went undetected for months. The first account was breached in December 2020, the attack was detected on March 12, 2021, but the attackers were not removed from its systems until April 8, 2021.
While not the most serious of these examples of phishing attacks in terms of the number of individuals affected, the phishing attack on University of Washington Medicine still proved costly. In this incident, an employee was sent a phishing email in October 2013 that asked them to review a document online, which triggered a malware download that gave the attacker access to the data of 90,000 patients. The HIPAA violations uncovered that contributed to the success of the attack were resolved with OCR for $750,000.
These examples of phishing attacks are all too common in healthcare. While it may not be possible to prevent all phishing attacks, by adopting the right cybersecurity solutions and providing training to the workforce, the majority of phishing attempts can be blocked, and the severity of the attacks reduced.
To combat phishing, a combination of measures are required, which should include an email security solution to prevent phishing emails from reaching inboxes, a web filter for blocking access to phishing and other malicious websites, antivirus software on all endpoints, an intrusion detection system for identifying suspicious activity, and comprehensive security awareness training for the workforce to raise awareness of the threat of phishing, along with phishing simulations for testing the resilience of the workforce to phishing attacks.
To limit the harm caused should an attack result in credential theft, multi-factor authentication should be used on all email accounts. It is also important to clear email accounts regularly so that if an account is compromised, the amount of data that can be obtained will be minimized. Since emails may need to be retained for legal reasons, consider using a secure email archive.