Phishing Attack on Health First Compromised 42,000 Customers’ PHI

Health First Inc., a health system with four hospitals based in Florida, experienced a hacking/IT incident earlier this year and reported the breach to the Department of Health and Human Services’ Office for Civil Rights on October 5. Further information has now been released on the nature of the breach.

As per the OCR breach summary, 42,000 individuals were affected by the breach which has now been confirmed as a phishing attack. Health First explained that phishing emails were sent to its employees, the responses to which resulted in the accidental disclosure of email credentials. Some of the emails in the compromised accounts contained patients’ protected health information (PHI). The attack did not affect the health plan’s electronic medical record system.

The attackers first accessed a company email account in February 2018, and the account was used to send further phishing emails to staff members. Further accounts were breached between February and May.

Health First claimed the attackers were able to access only “a small number” of email accounts, which contained a limited amount of PHI. Customers’ names, birth dates and addresses were exposed along with some Social Security numbers. Medical data and financial information were not compromised.

Forensic computer experts were called in to investigate the phishing attack. Based on their evaluation, Health First reports that the attackers appeared not to be interested in accessing emails or getting hold of protected health information. The attackers simply wanted to compromise more email accounts and carry out more phishing scams. The attackers were discovered to have only opened a few emails.

When Health First discovered the breach, the passwords of all compromised employee email accounts were changed to stop the attackers from accessing the accounts. New security controls were also put in place to prevent further breaches.

Health First has notified all the patients affected by the breach and offered them 12 months of complimentary AllClear ID identity theft monitoring and identity repair services.