Utah Pathology Services and Dynasplint Systems are the latest victims of phishing attacks in healthcare. More details about the incidents are discussed below.
Phishing Attacks in Healthcare: Utah Pathology Services
Utah Pathology was targeted by hackers who used an employee’s email account to gain access to the healthcare organization’s network. On June 30, they discovered a breach when hackers tried to redirect funds from the organization using a compromised employee email account, although they were unsuccessful in their attempt.Â
An investigation was launched into the phishing attack, discovering that the protected health information (PHI) of 112,000 patients may have been exposed. The PHI exposed varied on a per patient basis, including names, contact information, insurance information, medical and health information, clinical and diagnostic information, and some Social Security numbers.
In addition to conducting an investigation into the incident, Utah Pathology is strengthening its security by implementing additional safeguards. They have also reported the incident to the Department of Health and Human Services (HHS) and law enforcement.
Phishing Attacks in Healthcare: Dynasplint Systems
Dynasplint Systems, a healthcare manufacturer, notified 103,000 patients of a recent ransomware attack that may have compromised their PHI. They noticed that they had been targeted when employees attempted to access Dynasplint’s computer systems, and were unable to access files.
Upon further investigation, it was discovered that PHI may have been accessed or stolen in the attack. The potentially compromised information included names, contact details, Social Security numbers, medical information, and dates of birth.Â
Patients affected by the breach will receive free identity monitoring and recovery services for a year. Dynasplint is also working with a cybersecurity firm to increase their security and bolster safeguards. They have also reported the incident to the HHS and the FBI.
Phishing Attacks in Healthcare: Prevention
Phishing attacks occur largely in part due to human error. Hackers target employees of an organization by sending malicious emails. These emails impersonate a trusted individual or entity, tricking recipients into providing information, such as login credentials, that allows hackers to enter the organization’s network.Â
As such, the best ways to prevent a phishing attack is through the implementation of policies and procedures, and by providing employees with cybersecurity training.
◈ Policies and Procedures. Policies and procedures dictate the proper uses and disclosures of PHI, provide a framework for an organization’s safeguards, and dictate procedures for reporting a breach.
◈ Training. Employee training must be conducted annually and should include HIPAA basics, your organization’s policies and procedures, and cybersecurity best practices. Many healthcare employees are undertrained, especially in cybersecurity best practices. Prioritizing cybersecurity training is a key component in preventing cyber attacks. When employees are trained on how to recognize a phishing email, they are less likely to fall victim to a phishing attempt.
