1.2 million patients’ info exposed after MEDNAX phishing attack
by Sara Nguyen
MEDNAX is a healthcare business associate that provides revenue cycle management and other administrative services. The company recently announced that it had suffered an email data breach, and 1,290,670 patients potentially had their protected health information (PHI) exposed.
A hacker gained access to multiple email accounts of MEDNAX employees. While the Microsoft 365-hosted accounts were separate from MEDNAX’s internal network and systems, the hacker still had access to over 1.2 million patients’ PHI from company emails.
The potentially exposed information included patient names, addresses, birth dates, Social Security numbers, financial information, and more.
How did the hacker gain access to employee accounts?
The hacker was able to gain access after employees responded to phishing emails, which are designed to get people to share personal and online account information that hackers can use for their own gain.
The continued success of email phishing attacks proves that humans are the weakest security link. Companies should make it a priority to train employees on how to recognize phishing emails and other scams.
How MEDNAX responded to the phishing attack
The investigation said there was no evidence of PHI misuse, but the company is offering free identity monitoring services for one year for affected patients.
MEDNAX is also enhancing its security protocols following the email breach and has changed the passwords of affected email accounts.
The company reported the data breach to the HHS Office of Civil Rights, but it didn’t file within 60 days of discovery. MEDNAX may face further fines for not reporting the hack within the appropriate timeline.
How to prevent phishing attacks
Covered entities should make HIPAA compliant email a top priority. Even business associates need rigorous security safeguards to protect PHI. HIPAA laws still apply to them, and they can face serious consequences for not following guidelines.
Paubox Email Suite Plus has key security features to protect you from cyberattacks. It has robust inbound security tools to prevent spam, virus, ransomware, and phishing emails from reaching your users’ inboxes. Our patented ExecProtect feature is also included to mitigate the risk of display name spoofing attacks.
Paubox also easily integrates with Google Workspace, Microsoft 365, or Microsoft Exchange and encrypts all emails by default with no need for portal logins or app downloads. It’s a great solution for protecting your emails with the best security features.