Orlando Family Physicians announced that it suffered a healthcare data breach, potentially exposing the protected health information (PHI) of 447,426 patients. In a statement posted on their website, OFP cites the cause as a phishing email that allowed unauthorized access to the email accounts of four employees.
What Happened?
On April 15, 2021, OFP discovered that an unauthorized party gained access to an employee’s email account using the employee’s user ID and password. The unauthorized party obtained the employee’s login credentials through a previous phishing attack.
Upon further investigation by a cybersecurity forensics firm, it was determined that three other employee email accounts were compromised. Within 24 hours of the initial unauthorized access, OFP terminated the access to the accounts.
The investigation also determined that there was PHI present in the employee email accounts, and although there is no evidence that PHI has been misused, the unauthorized party had the potential to access the information. However, the evidence determined that the unauthorized party accessed OFP’s network in an attempt to commit financial fraud, and not to steal PHI.
To prevent a similar incident from occurring in the future, OFP has enhanced their data security measures, and provided employees with more training regarding the importance of email security.
What Information Was Exposed in the Healthcare Data Breach?
According to OFP’s statement, information potentially compromised by the healthcare data breach included current patient PHI, prospective patient PHI, and employee information. Although the information exposed varied, the following information was included in the compromised accounts, “name; demographic information; health information, including diagnoses, providers and prescriptions; health insurance information, including legacy Medicare beneficiary number derived from the individual’s Social Security number or other subscriber identification number; medical record number; patient account number; and passport number.”
How to Recognize Phishing Emails
Phishing emails have long plagued the healthcare industry, targeting employees to gain access to sensitive company information. There are certain indications that employees can look for when determining the legitimacy of an email.
The following are indications that an email is a phishing email:
- The sender’s email address doesn’t look genuine
- The email is asking for personal information (such as login credentials)
- There are spelling or grammatical errors
- It contains an unsolicited attachment
- It is forcing the recipient to click on a link
Emails coming from a legitimate company will likely have a company domain name in their email address, and will never ask for personal information.
