Case Study – Phishing email causes breach of 23,000 patients

A phishing email caused a breach at a Colorado-based practice that resulted in the unauthorized release of the protected health information (PHI) of 23,000 patients. Using a phishing email to start an attack is one of the most common ways hackers gain access into the networks of practices and small businesses.

In this case study, we will review what happened and what you can do to protect your own practice from a phishing email attack.

What happened?

On November 23, 2018, Critical Care, Pulmonary & Sleep Associates, a Colorado-based practice, found that an attacker had compromised the email account of an employee. Activity on the account was noticed when it appears that phishing emails were sent using the account to email addresses in the address book.

When the activity was noticed, the practice immediately closed it down and started an investigation. They began to look through the entire email server for further signs of compromise but found that it did not extend beyond the email server. The practice hired a third party computer forensics team to investigate and to see how widespread the breach was.

What was the result?

The investigation found that the unknown attacker had compromised a number of accounts on the practice’s email server starting on August 14th, 2018. It continued all the way until it was discovered on November 23, 2018.

The email accounts had protected health information for more than 23,000 patients of the practice. Patient names, addresses, email addresses, phone numbers, dates of service and diagnoses, lab results, and patient treatment information were all in the compromised data. For some patients, their social security number and driver’s license numbers were also compromised.

After the breach, Critical Care, Pulmonary & Sleep Associates implemented stronger protections against phishing email attacks for the practice. It also required all employees to set up strong passwords. Security awareness training was also made available to all employees of the practice.

How do you protect against a phishing email attack?

Phishing email attacks are one of the most common methods attackers use to gain access to the networks of practices and businesses. The reason is that its very easy to launch and manage these attacks. Millions of emails can be sent out at no cost to the attacker. The attacker then just sits back and waits on the users.

In addition, the emails prey on human psychology. The email will entice a user to click on a link or open an attachment by pretending to be from someone in authority or from a financial institution such as a bank or credit card company. Fear is one of the most common reasons that people fall prey to phishing. The other is curiosity.

The first step is training for your practice. Protected health information should never be sent via email unless it is encrypted all the way through to its destination. This is often a confusing point for users as there are different kinds of encryption. For email, there are two basic types. This encryption at rest and encryption in transit.

Email encryption

At rest is when data is stored is it encrypted. For example, in the Outlook email program, can anyone open it and read the contents of the email? If the computer was hacked or stolen, would the emails be readable? In transit means, while the data is moving from one computer to another is it encrypted. An example of this is Google’s Gmail. When you access the Gmail site, it is via HTTPS. It means that the email you create on your computer is encrypted on its way to Google. However, the copy that is stored in your sent items is not encrypted. In addition, after Google receives that email and forwards it to another email address, it is no longer encrypted. To protect protected health information on email, staff should be trained not to send this information via email unless a security system has been set up (see below).

In addition, security awareness training is critical to help your staff be aware of phishing email attacks. Google offers a great online quiz that is free for anyone to use.

You can access it here – Google Phishing Quiz

The next step is on the technology side. Endpoint protection programs should be installed on each computer or device on the network. This will help prevent outbreaks of malware as a result of phishing attacks. Firewalls can also help by preventing phishing attacks by filtering known phishing attack servers on the Internet.

A secure email system should be in place if entities will be sending protected health information via email. What is usually involved is that the practice will send an email to the patient with a link the patient can click with a pre-arranged password to access the encrypted data. This way, if the practice’s email system were to be compromised, the attacker would still need to know the passwords for each piece of protected health information.

Following these three guidelines would greatly enhance the security of your practice and defend against phishing emails.

Summary

Phishing attacks are one of the most common methods attackers use to gain access to practice networks. It is easy and has virtually no cost to them. Most attackers are looking for the least amount of effort for the highest amount of reward. Phishing email attacks achieve that.

In this case,¬†Critical Care, Pulmonary & Sleep Associates suffered a breach of its email system that resulted in the unauthorized disclosure of more than 23,000 patient records. The email system had been used to send out patient information and wasn’t secure.

To protect yourself from similar attacks, a mix of training and technology is needed. Staff should be trained on what can and cannot be sent via email to patients. All staff members should train on by phishing attacks and other security threats. Install strong endpoint protection on all computers and devices in the practice. Lastly, firewalls can help by filtering the traffic to and from known phishing servers.

Implementing these basic steps will reduce your exposure to this growing threat.