PHI of 447,000 Patients Potentially Compromised in Phishing Attack

Ransomware gangs have increased attacks on the healthcare industry. Data from Emsisoft show 560 healthcare providers fell victim to ransomware attacks in 2020 and, based on figures from the first 6 months of this year, that total looks likely to be exceeded in 2021. Ransomware attacks certainly make headline news, but phishing is still a major threat, with attacks having the potential to result in vast quantities of patient data being exposed and stolen.

One of the largest healthcare phishing attacks in recent years has been reported by the Central Florida ambulatory health service provider Orlando Family Physicians. Orlando Family Physicians announced last month that certain email accounts had been accessed by unauthorized individuals, with the investigation revealing four email accounts had been compromised in a phishing campaign. The first email account was discovered to have been breached on April 15, 2021.

The phishing attack was detected promptly, and action was rapidly taken to block unauthorized access to the email accounts. All four of the compromised accounts were only accessible for a period of 24 hours before passwords were changed to prevent further unauthorized access. However, while the window of opportunity was relatively short, it was not possible to rule out unauthorized access to patients’ protected health information and the theft of PHI.

The aim of the attackers appears to have been to defraud Orlando Family Physicians, as the email accounts were used to try to redirect financial payments, rather than to obtain patient data, but in all incidents such as this where ePHI has potentially been compromised, the HIPAA Breach Notification Rule applies, and the breach is a reportable incident.

The review of the email accounts was completed on July 9, 2021 and confirmed that the protected health information of 447,426 patients had potentially been compromised. The exposed ePHI included names, demographic information, diagnoses, provider names, prescriptions, patient account numbers, health insurance information (Medicare beneficiary number or other subscriber identification number), medical record numbers, and passport numbers.

Orlando Family Physicians said it has implemented additional technical security measures following the breach and has provided additional security awareness training to its workforce.