Healthcare System Phishing Breach Affects 209,000Academic Medical Center Says Access to Email Accounts Lasted Months
Massachusetts-based UMass Memorial Health is the latest large healthcare network to report an email phishing incident that potentially compromised hundreds of thousands of individuals' protected health information.
The unauthorized access to "a limited number" of employee email accounts lasted about seven months - from June 24, 2020, to Jan. 7 2021 - before it was detected, Worcester, Massachusetts-based UMass Memorial says in a breach notification statement posted on its website.
UMass Memorial Health, which includes an academic medical center, three other hospitals and a medical group, reported to the Department of Health and Human Services on Oct. 15 an email hacking incident affecting more than 209,000 individuals, according to HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the website lists health data breaches affecting 500 or more individuals.
UMass Memorial Health in its notification statement says that it determined on Jan. 27 that some employees’ email accounts may have been accessed by an unauthorized person.
On Aug. 25, the healthcare entity completed the process of identifying individuals with information contained in the accounts, the statement says.
For affected patients, the information involved included names, dates of birth, medical record numbers, health insurance information and clinical or treatment information, such as dates of service, provider names, diagnoses, procedure information and/or prescription information, UMass Memorial Health says.
For affected health plan participants, the information involved included names, subscriber ID numbers and benefits election information. For some individuals, a Social Security number and/or driver’s license number was also involved, the statement says.
"We do not have any evidence that your information was in fact viewed or accessed, only that it was simply contained within an email account that was compromised," UMass Memorial Health says.
The organization says it has no evidence that any information has been misused, but is offering affected individuals one year of complimentary identity and credit monitoring.
The phishing incident did not affect all UMass Memorial Health patients or health plan participants - only those whose information was contained in the affected email accounts, the statement adds.
UMass Memorial Health says that to prevent similar incidents in the future, it has reinforced education with its staff regarding how to identify and avoid suspicious emails and the organization is also making additional security enhancements to its email environment, including enabling multifactor authentication.
UMass Memorial Health's health data breach is the among the latest email phishing incidents reported as affecting huge numbers of individuals.
On Oct. 1, several affiliates of the Pennsylvania-based Professional Dental Alliance began notifying a total of more than 170,000 individuals in about a dozen states of a phishing breach involving a vendor that provides nonclinical management services to dental practices owned by PDA.
The dental alliance said the affiliated vendor, North American Dental Management, experienced an email phishing and credential harvesting attack on March 31 and April 1. Exposed patient information included name, mailing addressed, email addresses, phone numbers, dental information, insurance information, Social Security numbers and financial account numbers, PDA says.
OSF said the phishing email incident potentially resulted in unauthorized access to personal information contained in four employees’ email accounts.
So far in 2021, the largest phishing incident posted on the HHS website was reported on Jan. 8 by New York-based American Anesthesiology. It affected nearly 1.3 million individuals (see: Healthcare Phishing Incidents Lead to Big Breach).
Organizations falling victim to increasingly sophisticated phishing scams that lead to major health data breaches - despite employee awareness training and other efforts - is a persistent challenge, some experts note.
"This is a multifaceted problem that may require several controls or limitations set to reduce the overall risk that email represents," says Mac McMillan, CEO of privacy and security consultancy CynergisTek.
"The first thing we need to accept is that we don’t just need multifactor authentication on external connections to our network, but we need it internally as well, on high-priority applications such as email," he says.
Most phishing attacks can be defeated by using MFA, but organizations are reluctant to implement it due to its impact on workflow, he says.
"When you start talking about this issue, it all boils down to managing risk. We know how to restrict volume in email, how to review email for sensitive content, how to encrypt mail, how to limit access to mail, but we continue to fail to execute or do what we know we should do," he notes.
Additionally, many organizations have experienced these incidents despite having "all the right policies, configuration rules, tools, etc., because someone failed to execute consistently and apply them," McMillian says.
"The only way you are going to know this is through continuous testing and validation."
He urges organizations to "secure the email, limit retention where possible, and apply MFA so that simple compromise of a user's account credentials is not the first step to a bigger issue."