Orlando Family Physicians (OFP), a Florida practice with several offices, is the latest health system victimized by a phishing email. Over 447,000 patients had their protected health information (PHI) exposed.
On April 15, 2021, an OFP employee gave their user ID and password to a hacker in a phishing email. A total of 4 employees had their inboxes accessed by the hacker. Further investigation revealed that the hacker had access to PHI in the compromised email accounts. 447,426 patients were affected by this exposure. Hackers usually employ phishing attacks to steal and encrypt data and then demand a ransom for its safe return. However, OFP believes this wasn't this hacker's intention. In a statement OFP claims that " the available forensic evidence indicates that the unauthorized person’s purpose was to commit financial fraud against OFP and not to obtain personal information about the affected individuals." While this may be true, OFP still faces HIPAA violations and fines for the exposure of PHI to an unauthorized person.
How is Orlando Family Physicians responding to the phishing attack?
OFP says it is implementing enhanced data security measures (although it doesn't specify what measures it is taking) and is providing employees with training on email security.
Read more: Is HIPAA employee awareness training enough?
How can you prevent phishing attacks on your healthcare organization?
While employee training is a vital part of cybersecurity training for any healthcare provider, there is another way to stop threats from even reaching employees' email inboxes. Paubox Email Suite Plus protects your emails from security threats like spam , viruses , malware , and phishing by stopping malicious emails from entering an inbox. It is an additional preventative measure to ensure that your employees don't fall victim to cybercriminals. Our patented ExecProtect feature also blocks display name spoofing emails. You don’t need to worry about training your employees to use Paubox. It seamlessly integrates with your email provider, including Google Workspace and Microsoft 365 to send HIPAA compliant email directly to your patient’s inbox. Say goodbye to patient portals.