A phishing attack at Women’s Health USA Inc. has compromised the PHI of 17,000 patients.
An employee of Women’s Health noticed suspicious activity on their email account, prompting an investigation. The investigators discovered similar activity on some employee email accounts. Women’s Health took steps to secure the email accounts, hiring a third-party cybersecurity firm to assist with the investigation. The investigators looked into the cause, scope, and potential consequences of the breach.
Women’s Health USA Inc., based in Avon, Connecticut, is a HIPAA business associate that supplies a range of practice management services to healthcare groups. Therefore, as they held patient information, the breach could have had severe implications for the individuals involved. Patient information has a sizeable black-market value, and therefore Women’s Health had a responsibility to determine if unauthorised individuals had accessed any of the data.
The investigation revealed that an unauthorised individual had launched a phishing attack against the facility. The hacker had successfully fooled two individuals into allowing the hacker access their email accounts. The first email account breach was encountered on April 5, 2018, and the second account was targeted on August 13, 2018.
The investigators reviewed all emails and email attachments in the account. They discovered that they contained a small amount of protected health information (PHI). The information exposed included name, date of birth, Medicare Health Insurance Claim Number (HICN), health insurance policy number, diagnosis information, treatment information, and Social Security information.
Following HIPAA’s Breach Notification Rule, Women’s Health USA contacted all impacted healthcare provider clients about the breach on March 15, 2019, and started sending breach notification letters to all impacted patients on March 29, 2019.
Women’s Health has stated that all employees are undergoing additional training on the dangers of phishing emails and how to spot these attacks. The training also covers other types of cybersecurity threats. Women’s Health has also implemented other security measures and safeguards to improve email security.
Women’s Health has informed the Department of Health and Human Services’ Office for Civil Rights. The breach summary states that 17,531 clients were targeted in the breach.