Phishing Attack on FAPD and Black River Medical Center

Two HIPAA-covered organizations have recently announced they have been victims of phishing attacks that potentially resulted in the disclosure of the protected health information (PHI) of patients. The first is a phishing attack on Florida Agency for Persons with Disabilities, the second on Black River Medical Center.

The Florida Agency for Persons with Disabilities (FAPD), an institution that offers support services for those who have disabilities such as autism, spina bifida, cerebral palsy and Downs syndrome, experienced a phishing attack on April 10, 2018. The hacker only gained access to a single email account, but it contained the 1,951 PHI of customers or guardians.

Although no proof was obtained of PHI access or theft by the attacker, it was not possible to rule out data access or data theft with a high degree of certainty. The compromised email account included information such as names, dates of birth, addresses, phone numbers, medical information, and Social Security numbers. All individuals affected by the breach have now been informed and were offered free credit monitoring services for 12 months.

Three days after discovering the attack, FAPD integrated a security upgrade to make it harder for unauthorized people to gain access to its email system. Additional training about email security practices was also given to employees. This is the second phishing attack reported by the FAPD in 2018. In February, a sizable phishing attack resulted in multiple email accounts being accessed by unauthorized individuals resulting in the exposure of 55,000 patients’ PHI, including names, dates of birth and Social Security numbers. After the February attack, FAPD claimed it had applied multi-factor authentication to avoid unauthorized access of its email accounts.

Black River Medical Center in Poplar Bluff, MO alerted a number of its patients about a potential data breach. According to the breach report, an employee responded to a phishing email on April 23, 2018 which allowed the hacker to access the email account. There was a limited amount of PHI contained in the account, but no financial information or Social Security numbers was exposed, only names, addresses, telephone numbers and some treatment information.

The investigation verified that the breach only affected one email account and all other systems remained secure. No reports have been received to suggest the accessing or misuse of any PHI by the attacker. Patients were notified on June 13, 2018. The breach has not yet appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is unclear exactly how many patients were impacted.