by Kapua Iao
Article filed in
Phishing at the Nebraska Department of Health
by Kapua Iao
The Nebraska Department of Health and Human Services (HHS) reported a data breach at one of the city of Lincoln’s departments, Aging Partners. Aging Partners provides and advocates for older people within the eight-county area of Lincoln.
According to the press release, employees of Aging Partners fell victim to phishing emails, inadvertently exposing participants’ protected health information (PHI). Phishing remains a serious problem in 2021, especially for covered entities tasked with caring for their patients while ensuring HIPAA compliance.
On May 25, the City’s Information Services Department discovered that Aging Partners was hacked via a successful email phishing scam.
A cyberattacker gained access to employee email accounts between May 18 and May 21. When realized a few days later, IT cut the affected email accounts off from the rest of the system and quickly established new passcodes.
City staff performed their own investigation before transferring the evidence to a third-party company to determine the extent of the breach.
The accessed email accounts included over 46,000 emails. The investigation established that some of the emails involving 1,513 program participants contained PHI. This includes name, address, date of birth, phone number, Social Security number, date of service, type and amount of service, or other health information (i.e., medical conditions, level of care assessments, and medication).
Thankfully, the majority of the emails only included names. Unfortunately, a small number also contained bank accounts or other financial information.
Nebraska HHS recently informed the U.S. HHS Office for Civil Rights (OCR) of the breach; it has yet to be added onto OCR’s Breach Portal.
RELATED: What is the HHS’ Wall of Shame?
Nebraska HHS will send details to those affected; anyone who had financial information exposed will also receive professional credit monitoring services.
What is phishing?
Email phishing, also known as email spoofing or email impersonation, involves a malicious attempt to trick victims into giving up personal and/or online account information. This is what happened to Aging Partners employees.
Phishing is a major cause of breaches today because it can easily take advantage of tired or unaware staff using social engineering techniques. Cyberattackers may craft a malicious message to induce panic or quick action. They often capitalize on news events, like the COVID-19 pandemic.
RELATED: What is a phishing kit?
The phishing message and the outcome depend on what the cyberattacker wants. No matter the reason, cybercriminals still send malicious emails today because they target the most vulnerable of any organization: employees.
Training: necessary but not enough
This is why continuous and up-to-date cybersecurity training is important. Under the HIPAA Privacy Rule, healthcare organizations must provide employees with HIPAA compliance training on “privacy policies and procedures, as necessary and appropriate for them to carry out their functions.”
Organizations train employees to mitigate risks themselves, but training must always be combined with other cybersecurity methods.
A layered approach is necessary for complete HIPAA cybersecurity compliance. And it must include email security.
Paubox Email Suite—remove some of the burden from employees
Stressed and worried employees easily become victims, which is why it is necessary to combine training with strong email security.
Paubox Email Suite Plus provides solid inbound email security, which protects against phishing emails and viruses. Moreover, our patented ExecProtect feature blocks display name spoofing attacks while Zero Trust Email asks for additional proof of legitimacy before delivering an email message.
Employees can also send HIPAA compliant emails directly to patients’ inboxes because our patented software seamlessly encrypts all outgoing messages.
Randall Jones, director of Aging Partners, emphasized in the press release that PHI privacy is a top priority of the organization. That they would add additional measures to eliminate access and ensure HIPAA compliance.
But rather than release such statements after a breach, secure your network, emails, and PHI before a cyberattack can become a disaster.