The University of Alabama (UAB) Medicine is the latest victim of a healthcare phishing attack, affecting 19,500 patients. A phishing attack occurs when a hacker disguises themselves as a trusted entity, prompting email recipients to click on a malicious link, allowing unauthorized access to their system. Healthcare phishing attacks have become more prevalent as protected health information (PHI) is more valuable on the darkweb than financial information.Â
In the incident affecting UAB Medicine, hackers sent an email to several employees within the organization, prompting them to complete a survey seemingly from a UAB Medicine executive. Prior to the healthcare phishing attack, UAB Medicine trained employees on how to recognize phishing attempts, however multiple employees were fooled by the malicious email. Through the attack, hackers were able to access the email accounts of the employees as well as the organization’s payroll system.
UAB Medicine has contracted Kroll, a cybersecurity company, to investigate the incident and has notified affected patients. Although it is unconfirmed whether or not hackers were able to view or copy PHI, the information contained in the breached email accounts included dates of birth, medical record numbers, location of service, dates of service, diagnoses, as well as treatment information; some Social Security numbers may have also been exposed.Â
The investigation determined that hackers accessed the organization’s payroll system in the hopes of diverting employees’ automatic payroll deposits to the hacker’s account. However, all attempts for the hackers to redirect the deposits have been unsuccessful.Â
UAB Medicine is offering 12 months of identity theft protection and credit monitoring for affected patients. In addition, they have recommended that affected patients monitor their credit reports and insurance statements to ensure that there is no fraudulent activity on their accounts.
Preventing a Healthcare Phishing Attack
Healthcare phishing attacks can be extremely costly to victims once breach notification, HIPAA fines, identity theft monitoring, remediation efforts, and reputational damage are factored in.Â
As such, the Department of Health and Human Services (HHS) has recommended the following ten cybersecurity best practices:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
Organizations that implement the recommended cybersecurity practices will decrease their risk of experiencing a healthcare phishing attack, saving their organization millions of dollars in breach related costs.
