Over 5,000 patients of Metrocare Services have had their protected health information (PHI) comprised following a successful phishing attack.
Metrocare Services is a provider of mental health services in North Texas. An unknown threat actor targeted their facility with a phishing campaign, which resulted in the several employee email accounts being compromised.
Metrocare Services detected suspicious activity on its network on February 6, 2019. Immediate action was taken to control all affected email accounts in an attempt to block the threat actor’s access to patient data.
Metrocare launched an investigation into the incident, which revealed that the hacker first compromised the accounts in January 2019. There was a month-long period during which access to sensitive patient data was possible, and the hacker was still undetected by Metrocare.
The investigators analysed the affected email accounts in an attempt to assess the damage caused by the breach. The investigators determined that they contained the PHI of 5,290 patients. Following HIPAA’s Breach Notification requirements, Metrocare notified affected patients on April 5, 2019.
The email accounts contained information such as patient names, dates of birth, driver’s license information, health insurance information, health information related to the services provided by Metrocare, and for certain patients, Social Security numbers.
The investigators failed to uncover evidence to suggest the hacker copied or accessed the emails containing ePHI. However, they were unable to rule the possibility that the hacker access PHI for sure.
As a gesture of good faith, Metrocare offered individuals whose Social Security number was exposed free access to identity theft protection and credit monitoring services for 12 months.
Metrocare Services have since stated that they intend to implement additional, robust security measures. They will introduce measures to strengthen the security of its email system to reduce the risk of future phishing attacks being successful.
Metrocare intends to introduce multi-factor authentication to prevent unauthorised individuals from accessing accounts should employee credentials be compromised in future attacks.
Metrocare Services has previously been the victim of successful phishing campaigns. In November 2018, the PHI of 1,800 patients was compromised in a similar attack. After that attack Metrocare Services said it was strengthening the security of its email system and had provided additional training to employees to help them identify potential phishing attacks. These improvements were not enough to protect the integrity and confidentiality of patient information. Had multi-factor authentication been implemented after the first phishing attack, the second, larger breach could potentially have been prevented.
As the two Metrocare incidents show, phishing attacks against health organisations have become increasingly common in recent years. Health data have significant black-market values, making them potentially lucrative targets for hackers. A successful phishing or ransomware campaign can earn a hacker a considerable profit for relatively little effort.