by Sara Nguyen
Article filed in
Email phishing attack impacts over 200,000 ClearBalance patients
by Sara Nguyen
ClearBalance is a patient financing company that has recently reported an email data breach which led to over 200,000 patients’ sensitive information being exposed to cybercriminals.
What happened at ClearBalance?
In its security incident report, ClearBalance explains that on April 26, 2021, the company noticed and prevented an unauthorized wire transfer from removing money from ClearBalance funds. An investigation revealed that an email phishing attack tricked employees into giving their login credentials to hackers.
Hackers had access to ClearBalance emails for about 7 weeks in March and April before being detected. The investigation determined that the hack was limited to the email environment only, and the hackers didn’t receive access to other network systems.
An email review showed that the hackers had access to emails that contain sensitive patient information. Some of the information may have included Social Security numbers, personal banking information, and full-face photographs.
ClearBalance reports that this data breach affected 209,719 people.
How is ClearBalance protecting data now?
- Changing all account passwords
- Implementing stronger access controls to its email cloud environment
- Updating procedures for reporting suspicious activities
ClearBalance is also offering free identity protection and credit monitoring services to affected individuals.
“ClearBalance takes your data security and privacy very seriously and we are committed to safeguarding the information you provide us,” stated the company.
How can business associates prevent phishing attacks?
Human error is often the weakest link in your security chain. While employee training is necessary for spotting potential security threats, a healthcare organization should take the onus of security off of individuals as much as possible.
- Two-factor authentication: requires two forms of authentication when logging into email accounts.
- ExecProtect: patented protection from display name spoofing attacks.
- DomainAge: blocks emails from recently registered domain names.
- Zero Trust Email: the latest security feature from Paubox that requires an additional layer of authentication before reaching your employees’ inbox.