The gastroenterology healthcare company located in Bradenton, FL, known as Florida Digestive Health Specialists (FDHS) has recently informed around 212,000 patients concerning the potential compromise of their protected health information (PHI) due to a cyberattack last December 2020.
Attorney Jason M. Schwent of Clark Hill mailed breach notification letters to the affected patients on December 27, 2021. The notification letters stated that there was suspicious activity found in the email account of a worker on December 16, 2020. An unauthorized individual used the email account to send email messages.
This was a business email compromise attack. BEC attacks entail an attacker obtaining access inside an email account, typically by means of a phishing email, and then using it to impersonate the employee and persuading other individuals to do fake wire transfers. On December 21, 2020, FDHS found a fraudulent money transfer to an anonymous bank account.
FDHS engaged Clark Hill’s expert services and a third-party cybersecurity firm to check into the cyberattack. According to the investigation, unauthorized persons got access to several employees’ email accounts. The email accounts were known to be “voluminous” and contained the personal information and protected health information (PHI) of 212,509 patients. The goal of this type of attack is to obtain payments through bogus wire transfers and not to get patient data; still, data theft could not be ruled out.
The amount of data contained in the breached email accounts were used as a reason for delaying the sending of notification letters to the impacted patients for 12 months. FDHS explained that it took a long time to audit the email accounts, which only concluded on November 19, 2021.
As a result of the breach, several changes were done to its IT systems to improve safety. The safety procedures consisted of a password reset in all its IT networks, use of multifactor authentication, strengthening password criteria, and re-establishing of its firewall.
Affected individuals were provided zero-cost credit monitoring and identity theft protection services for one year.