Boys Town National Research Hospital (Boys Town) in Omaha, NE has discovered that an employee was fooled by a phishing email resulting in the accidental disclosure of login credentials. Those credentials were used by the phisher to remotely access the email account, which contained the protected health information (PHI) of 105,309 individuals.
Boys Town discovered the security breach on May 23, 2018 after strange activity was detected in the email account. Boys Town called in computer forensics specialists to investigate the potential breach and unauthorized account access was confirmed to have occurred on May 23. No other email accounts were compromised.
The information exposed varied patient to patient but may have included names, birth dates, Social Security numbers, employer ID numbers, driver’s license numbers, health insurance details, disability codes, marriage certificate details, birth certificate details, passport data, banking and other financial data, Medicare/Medicaid ID numbers, medical record numbers, usernames, passwords, diagnosis, treatment data and billing/claims details.
The investigation did not uncover evidence of data theft, although it is possible that patients’ PHI was viewed and potentially copied by the attacker. Boys Town has offered all individuals affected by the breach free identity theft protection services for one year. Hospital policies and procedures have now been reviewed and updated and additional safety measures have been implemented to prevent further successful phishing attacks.
NorthStar Anesthesia in Irving, Texas has also recently notified certain patients that some of their PHI has been exposed. Email accounts were compromised between April 3 and May 24, 2018, although the security breach was not identified until May 23, 2018. Northstar Anesthesia blocked access to all compromised accounts on May 24, 2018.
A third-party forensic firm investigated the breach to determine the scope of the phishing attack and whether the emails were accessed and PHI copied. The investigators confirmed that the hacked email accounts included a range of PHI – patients’ names, health insurance details, claims details, dates of birth, taxpayer ID numbers, IRS identity protection numbers, health insurance policy/subscriber numbers, medical record numbers, healthcare histories, diagnosis, treatment details and for some individuals, Social Security numbers.
PHI access or data theft was not confirmed but could not be ruled out. Affected individuals have been offered free credit monitoring and identity protection services for two years.