Phishing Scams in Healthcare: A Persistent ThreatBreach Tally Shows Hacking Attacks Involving Email Continue to Plague the Sector
With the year nearly over, hacking attacks - especially those involving phishing and other email attacks - continue to rack up big victim counts for health data breaches reported to federal regulators in 2018.
A Nov. 27 snapshot of the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows 327 major health data breaches impacting nearly 9.8 million individuals have been added to the tally so far in 2018.
"Cybercriminals update their messaging multiple times every single day. If the workforce has not been updated on this topic in the last few months, they could easily fall for newer versions of phishing attacks."
—Susan Lucci, tw-Security
Often called the "wall of shame," the OCR website lists health data breaches affecting 500 or more individuals.
Since 2009, a total of 2,508 major breaches impacting about 187 million individuals have been posted to the federal tally.
So far this year, 138 health data breaches were reported as hacking/IT incidents, affecting a total of nearly 6 million individuals, or more than 60 percent of all victims in 2018.
The second most common type of health data breaches reported so far in 2018 are unauthorized access/disclosure incidents. The federal tally shows 128 of those incidents affecting more than 2.7 million individuals.
Another 53 incidents involved loss or theft - including unencrypted devices, as well as paper/film records - impacting a total of about 726,000 individuals. Eight improper disposal incidents affected more than 339,000 individuals.
Of the hacking breaches reported this year, 78 - or about 60 percent - were reported as involving email. In addition, 26 incidents reported as unauthorized access/disclosure breaches involved email.
"Phishing schemes that rely on human weaknesses are the major entry point for breaches, and the human factor is the most difficult to control," notes Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"Phishing has gone from laughable emails to very sophisticated ones that even security professionals have to double check."
Large Recent Breach
Among the largest breaches added to the tally in recent weeks was a hacking/IT incident listed as affecting nearly 166,000 individuals reported on Nov. 17 by HealthEquity, a Draper, Utah-based health savings account company that's listed on the HHS website as a business associate.
A sample breach notification letter from HealthEquity posted on the California attorney general's office notes that a cyberattack involving unauthorized logins to two HealthEquity employees' email accounts was identified in October by the company's information security team.
"We immediately implemented security measures to prevent further access to the accounts and began analyzing all information contained in these accounts to identify any sensitive personal information. The unauthorized access occurred, in the case of one account, on Oct. 5, and in the case of the other, on different occasions between Sept. 4, 2018, and Oct. 3, 2018," the notification letter indicates.
The email accounts contained documents that included personal information that is used by HealthEquity to manage member accounts, the letter notes.
"The affected HealthEquity employees' email accounts had these materials for legitimate business purposes. The accounts contained information including participants' Social Security numbers and may have included other information such as names, HealthEquity member ID, account type, contribution amount, and employer's name."
An HealthEquity spokeswoman tells Information Security Media Group that the number of individuals affected by the breach was actually higher than the number reported to HHS. "The requirements for HHS reporting is tied to HIPAA-related accounts. There were additional individuals affected with different account types outside of the reporting requirements," she says.
"We have been working with roughly 185 different companies to notify the approximately 190,000 individuals affected by the incident. All affected individuals will receive information to enroll in five-year credit monitoring and identify theft protection services at no cost."
Phishing tactics were not used to gain access to the email accounts, she says. "While the attack was limited to access through two Microsoft Outlook 365 email accounts and none of HealthEquity's systems were accessed or impacted, we continue to be vigilant and proactive in protecting the personal information of the individuals we serve."
The company is implementing additional security protocols, including email retention and storage policies and regular Microsoft Outlook 365 email penetration testing, the spokeswoman adds.
HealthEquity also reported to HHS a separate hacking/IT incident in June impacting 16,000 individuals and involving email.
Another Incident Not Yet on Tally
In another incident not yet posted to the wall of shame, New York Oncology Hematology, an Albany, New York-based cancer care and blood disorder services provider, on Nov. 16 began notifying 128,400 employees and patients of a targeted phishing attack on several workers that potentially compromised their protected health information or other personal data.
"The phishing emails sent were sophisticated in that they appeared as a legitimate email login page, which convinced the NYOH personnel to enter their user names and passwords," says a statement posted on NYOH's website. "These credentials were then harvested and used by the attackers to gain access to the email accounts, which were typically only accessible for a short period of hours before access was terminated."
NYOH hired a forensic firm to conduct a review of the content of the accounts following the phishing attack, which occurred between April 20 and April 27, the organization says. "Following a thorough analysis, on Oct. 1, they determined that one or more of the affected email accounts contained protected health information and other personal information of patients or employees. Patients and employees who joined NYOH after April 27, 2018, are not involved."
NYOH says it is not aware of any access to or attempted misuse of patient or employee information related to this incident, but it's offering affected individuals one year of free identity theft and credit monitoring services.
An Ongoing Challenge
Incidents involving phishing attacks will continue to plague the healthcare sector, some experts predict.
"There are a few reasons why this will not be going away. One is the evolving nature of the types of emails the hackers are sending, and another is not keeping the [warnings] to employees fresh," says Susan Lucci, senior privacy and security consultant at tw-Security.
"Cybercriminals update their messaging multiple times every single day. If the workforce has not been updated on this topic in the last few months, they could easily fall for newer versions of phishing attacks during this busy online shopping time as well as insurance renewal enrollment."
Attorney Marti Arvin, vice president of audit strategy at security consultancy CynergisTek, notes: "Hackers are growing even more sophisticated in their efforts. All it takes is one user to click, and if that user's credentials are compromised, that may allow the hacker to get the credentials of other users by sending emails that appear to be from the originally compromised user."
But healthcare entities can take steps to reduce the risk that their organizations will fall victim to these scams, Arvin notes.
Having technology solutions that help prevent the hacker from getting in the system in the first place is the first line of defense, Arvin says. "Good data segregation, data loss prevention software and other tools that may allow for quick detection may help minimize the breach impact," she says.
Implementing technology that alerts users when an email comes from an outside source may help them pause before clicking, she notes.
"Of course, continuous education and awareness is also key."