Phishing Attacks at the Washington University School of Medicine and Doctors Community Medical Center

Washington University School of Medicine is informing 14,795 oncology patients regarding the breach of some of their protected health information (PHI) contained in an email account last January 2020.

Because a research administrator in the Division of Oncology responded to a phishing email, an unauthorized person was able to access his email account from January 12, 2020 to January 13, 2020. After becoming aware of the breach, the Washington University School of Medicine took quick action to make the account secure and block further unauthorized access. A third-party computer forensics company came in to help with the investigation.

A careful analysis of email messages and attachments in the account showed that they have these patient data: names, birth dates, patient account numbers, medical record numbers, limited treatment and/or clinical data, such as diagnoses, names of providers, and laboratory test results. The medical insurance data and/or Social Security numbers of some patients were exposed too.

Affected people already received breach notification letters. The people who had their Social Security numbers potentially compromised received offers of free credit monitoring and identity protection services.

Washington University School of Medicine already took steps to enhance email security. The employees received reinforced training on identifying suspicious emails.

Doctors Community Medical Center Phishing Attack

Doctors Community Medical Center based in Maryland is notifying some patients about a breach of their PHI.

The medical center discovered the data breach in January 2020 after detecting suspicious activity in its payroll system. A breach investigation confirmed that a small number of employees received phishing emails and were tricked into disclosing their account credentials. Besides getting access to the email accounts of the employees, the attackers likewise had accessed the payroll information of the employees.

According to the investigation, the first breach of the accounts happened on November 6, 2019 and access possibly continued until January 30, 2020. On February 13, 2020, Doctors Community Medical Center confirmed that data sheets with patient information were found in a few of the compromised email accounts.

Third-party forensic investigators were unable to affirm if the attackers accessed, copied or disclosed the patient data. Nevertheless. there was no report received that suggest the misuse of patient information. Because unauthorized data access cannot be eliminated, the medical center notified the patients and offered them credit monitoring and identity restoration services for free.

The potentially compromised types of information included names, addresses, birth dates, Social Security numbers, military identification numbers, driver’s license numbers, financial account information, diagnoses, prescription information, treatment information, provider names, medical record numbers, Medicare/Medicaid numbers, patient IDs, health insurance information, access credentials and treatment cost information.

The health system is looking into its policies and procedures and updating as needed. Additional safeguards will be put in place to stop more attacks.