2 min read

Mercy Iowa City phishing attack impacts 60K patients

Sara Nguyen December 9, 2020

Healthcare cybersecurity news

Yellow caution tape with 'Cyber Crime' text over blue binary code background

Cyber crime scene tape across digital background with binary code

Mercy Iowa City hospital recently announced that an employee’s email account was compromised which potentially exposed thousands of patients’ protected health information (PHI) .

What happened?

On June 24, 2020, the hospital noticed unusual activity from an employee’s email account. The team discovered a hacker had compromised the account and sent spam and phishing emails beginning on May 15, 2020. The email account had access to about 60,000 patients’ personal information, including names, social security numbers, birth dates, driver’s license numbers, and health insurance information.

How did the hacker gain access to an employee email account?

“Like the vast majority of incidents, this breach reportedly started with a phishing email that compromised an employee’s email account,” said Lisa Plaggemier, chief strategy officer at MediaPro. Cyberattacks on healthcare providers are becoming increasingly common as the pandemic continues. A recent study claims that Q3 2020 saw a 50% increase in daily ransomware attacks as compared to the first half of the year. SEE MORE: Coronavirus Cyberattacks: How to Protect Yourself

How Mercy Iowa City responded to the hack

Mercy’s investigation showed no evidence of identity theft related to the data breach. However, the company is offering a year of complimentary identity theft protection and credit monitoring to patients who had information exposed. Mercy took steps to prevent the situation from happening again by enhancing technical safeguards and implementing two-factor authentication . The hospital now faces an investigation from the Office of Civil Rights (OCR) for HIPAA violations relating to the breach. Mercy may also face additional fines since healthcare providers are supposed to report any data breaches within 60 days of discovery, which Mercy failed to do. The hospital publicly reported the breach five months after noticing the email security compromise.

How Paubox can help prevent similar attacks

Preventing your employees from falling victim to phishing emails is critical to keeping your email security robust. Although employee training on recognizing ransomware attacks, spam, and phishing emails can be a critical safeguard against cyberattacks, it’s imperative to put up technical safeguards that prevent human error. Paubox Email Suite Plus provides HIPAA compliant email and numerous security features to keep your email protected against cybercriminals. Our inbound security tools prevent threats like phishing, spam, viruses , and malware from entering the user’s inbox. It also includes two-factor authentication - which means a user will need more than a username and password to gain access to an account. For maximum security, you can also upgrade to Paubox Email Suite Premium , which includes data loss prevention (DLP) . This feature prevents a user from sending PHI, whether maliciously or unintentionally, to unauthorized users. Prevent damage to your patients and company by making your email security as robust as possible with Paubox.

Try Paubox Email Suite Premium for FREE today.

Start for free