What Is Known about the Phishing Attack?
NCH, a large covered entity that employs over 5,000 people, first detected the phishing attack in mid-June of 2019, when NCH became aware of suspicious email activity relating to NCH’s payroll system.
NCH subsequently conducted an investigation, working with third-party forensic investigators to confirm the nature and scope of the event. The investigation was completed in early July, 2019. The investigation concluded that up to 73 NCH employees fell victim to a phishing attack, thereby disclosing account credentials to the attackers. Preliminary findings suggest the goal of the attackers appears to have been to redirect payroll payments to the hackers’ own accounts.
At present, according to NCH, there is no evidence of actual or attempted misuse of information that is present in any of the employees’ email accounts. NCH, in its notice, has indicated that the incident is still being investigated. NCH has also stated that upon conclusion of the investigation, it will directly notify those individuals whose information (including electronic protected health information, or ePHI) is within the compromised email accounts, and provide detail on what specific information may have been affected.
NCH has also notified potentially affected individuals that NCH is reviewing its existing policies and procedures related to cybersecurity. The HIPAA Security Rule requires covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).
NCH has also notified potentially affected individuals that it will be reporting this incident to Florida regulators, and that it will also be reporting the incident to the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS), as required by the HIPAA Breach Notification Rule.
Under the HIPAA Breach Notification Rule, covered entities and their business associates must provide notification to OCR following a breach of unsecured protected health information (PHI).