Phishing Attacks on Sunspire Health and UPMC Cole Compromised Several Employee Email Accounts

Two more healthcare companies have announced they have been victims of phishing attacks that have allowed cybercriminals to gain access to the protected health information (PHI) of their patients.

Sunspire Health operates a national network of addition treatment centers. In the recent incident, a number of email accounts were compromised because of what appears to be a targeted phishing campaign. Sunspire Health discovered that multiple email accounts were compromised between April 10, 2018 to May 17, 2018.

Sunspire Health called in a team of forensic investigators to figure out the nature and extent of the breach. According to the investigation, access to the first email account occurred on March 1, 2018. The attacker accessed other email accounts until May 4.

No reports of PHI misuse has been received by Sunspire Health thus far although it is possible that PHI was viewed and downloaded. The compromised email accounts contained patient information such as names, birth dates, diagnoses, treatment details, medical insurance data and Social Security numbers.

Patients affected by the phishing attacks have now been notified of the breach by mail. On July 16, Sunspire Health also uploaded a substitute breach notice to its website. Patients whose information was compromised have been offered free credit monitoring and identity theft protection services for 12 months. Sunspire Health has notified the Department of Health and Human Services’ Office for Civil Rights. The OCR breach portal indicates 6,737 individuals have been affected by the breach.

UPMC Cole has also experienced a phishing attack. The Coudersport, Pennsylvania-based healthcare provider discovered two employees were tricked into disclosing their login information after receiving phishing emails. Two email accounts were compromised – The first on June 7, 2018 and the second on June 14. The individuals responsible used the accounts to send phishing emails to other members of staff. The incident was investigated to find out if the attacker accessed any patient health data. Data access was not verified, but could not be ruled out.

The PHI contained in the email accounts was limited to names, birth dates, health procedures, general treatment data, names of healthcare companies, and scheduling details. The breach affected 790 patients who have now been notified by mail.