Phishing Attack Aimed at Stealing Payroll DepositsHealthcare System's Procedures Helped Prevent the Crime
A Texas-based healthcare system says hackers unsuccessfully tried to divert employee payroll direct deposits through a phishing attack that also potentially exposed patient data. The incident illustrates how business processes can help avert theft.
Decatur, Texas-based Wise Health System, which employs 1,900 and includes a medical center, several clinics and specialty care facilities, says an email phishing campaign was launched against its staff on March 14.
"Unfortunately, a few of Wise Health System's employees provided their usernames and passwords in response to this phishing email," the organization says in a statement. "Once these usernames and passwords were obtained, the intruders used the information to access the employee kiosk in an attempt to divert payroll direct deposits."
Wise says that while it does not believe that it was the intent of the phishing attack to obtain patient information, access to the email boxes may have compromised patient information, such as medical record number, diagnostic and treatment information, and potentially insurance information.
"Again, we believe the purpose of this campaign was to divert payroll direct deposits rather than to obtain patient information," the statement notes. Wise Health System has not received any reports of patient identity theft since the date of the phishing incident, the statement adds.
A listing of the Wise Health breach on the Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website indicates the "hacking/IT incident" was reported on July 13 as impacting nearly 36,000 individuals.
Wise Health did not immediately respond to an Information Security Media Group request for comment. Its website appears to show a link to an "employee kiosk" that is not currently functioning.
According to a report by the Wise County Messenger, a local newspaper, Kimberly Browder, Wise vice president of compliance and privacy officer, says hackers tried to change approximately 100 payroll direct deposits. But the hospital's payroll system requires a paper check be printed for two payrolls after any changes are made to an employee's direct deposit.
When payroll was completed on April 5, an unusual number of checks were required to be printed, which raised a red flag, Browder told the Messenger. So that paper check safeguard appears to have prevented the theft of funds.
"Treat an employee portal or kiosk like an ATM machine at the bank. Require multifactor authentication as the authorization for handling sensitive transactions."
—Tom Walsh, tw-Security
"We forced a password change immediately, systemwide," Browder told the Messenger, adding that all employees were paid and no worker missed a paycheck.
Wise Health is reportedly offering affected individuals 12 months of prepaid credit monitoring and identity theft protection.
Safeguards Play Important Role
Tom Walsh, president of consulting firm tw-Security, says that the process for making any changes to employee-related data should always require an authorization. That includes changes involving an employee's bank and account numbers for payroll direct deposits, beneficiaries on life insurance policies and health insurance benefits.
"The employee portal makes it easier and more convenient, but the assurance that the HR department is actually communicating with the employee may have been lost for the sake of convenience," he says.
"Treat an employee portal or kiosk like an ATM machine at the bank," he advises. "Require multifactor authentication as the authorization for handling sensitive transactions."
Kate Borten, president of privacy and security consulting firm The Marblehead Group, notes that to help prevent security incidents involving employee data systems from also potentially impacting patient data, it's critical that healthcare entities take a holistic security approach.
"Healthcare and any other types of organizations should aim to develop a generic information security program, starting with identifying all confidential information assets held by the organization," she notes. "Then apply security safeguards for all such information in any form. Avoid siloing based on industry regulations, since most security controls are data-neutral and common to many or most regulations and standards."
To reduce the odds that phishing and other email related incidents succeed in exposing sensitive data, Walsh advises against sharing confidential information in email.
"Use other secure methods for sharing information," he says. "For example, instead of sending a spreadsheet filled with patient information as an attachment to email, store the spreadsheet on a common network drive ... plus password protect the spreadsheet."
While this creates additional steps and could be perceived as inconvenient, it helps prevent data from being exposed in the event that a user's email gets hacked or compromised, Walsh says.
Hackers know that many people quickly respond to any type of a request that purportedly comes from executive management, Walsh adds. "This is one of the reasons why phishing emails have been so successful. Employees will bypass the normal protocols and procedures followed for making changes - even violating their own internal policies - in order to quickly respond to a request by upper management."
Regardless of who is making a request, employees need to understand that they must "stick to and follow organizational policies," he adds. "These processes were established to protect both the company as well as the employee - especially if the request involves money or passwords."
In another employee portal incident last year, a coding error inadvertently allowed some users of a portal for the Employee Retirement System of Texas to view the information of others, potentially exposing information on nearly 1.25 million of its members.
That incident was among the five largest health data breaches reported to HHS in 2018.