Several major health systems have reported an onslaught of phishing, spoofing, and ransomware incidents. While these healthcare cyber attacks use different tactics, they all have the same end goal – to steal sensitive patient information. 

Phishing Attack Targets UMass Memorial Health

Healthcare Cyber Attacks

UMass Memorial Health recently informed patients that their protected health information (PHI) was potentially compromised in a healthcare cyber attack stemming from a phishing incident. UMass Memorial became aware that an employee email account had been breached and contracted a third-party forensic firm to investigate the scope and nature of the incident. While the investigation could not determine whether or not PHI was accessed in the incident, PHI was contained in some of the emails and attachments in the employee’s email account.

PHI potentially exposed in the incident varied by individual, but may have included names, dates of birth, medical record numbers, health insurance information, clinical or treatment information, dates of service, provider names, diagnoses, procedure information, prescription information, subscriber ID numbers, benefits election information, Social Security numbers, and driver’s license numbers. The incident, which occurred from June 2020 to January 2021, impacted the PHI of 3,099 patients.

UMass Memorial Health released a statement in response to the healthcare cyber attack, “We regret any concern or inconvenience this incident may cause, and we remain committed to protecting the confidentiality and security of our patients’ and health plan participants’ information. To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails and are making additional security enhancements to our email environment, including enabling multifactor authentication.”

Spoofing Incident Targets Hospital Patients

Spoofing incidents occur when a malactor targets individuals by calling them and posing as a trusted company, often displaying a false caller ID to trick call recipients. While some of these incidents are easily recognizable as a scam, others are more targeted making it difficult for call recipients to detect. One such incident recently reported targeted patients of Henry Ford Health System.

In a statement released on October 17, 2021, Henry Ford warned patients of the spoofing incident in which malactors attempt to trick patients to divulge their sensitive banking information by claiming that the Hospital is issuing them a refund. While the incident is ongoing, the statement claims that Henry Ford operators are receiving up to 200 calls a day regarding the scam.

John Fowler, interim chief information privacy and security officer at Henry Ford, explained, “We don’t believe callers are identifying themselves as a representative of Henry Ford, but we are very concerned that scammers are using our number in a fraudulent way. This is extremely concerning. We want people to trust that when they get a call from Henry Ford, we are reaching out to them with important information about their health. And with hundreds of people calling each day simply because they think we’ve called them, our operators are facing some serious challenges.”

Let’s Simplify Compliance

HIPAA and cybersecurity go hand-in-hand. Protect your business by becoming HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance