by Rick Kuwahara CMO of Paubox
Article filed in

Phoenix Children’s Hospital Reports Recent Phishing Attack

by Rick Kuwahara CMO of Paubox

Phoenix Children’s Hospital, which provides specialty pediatric services, released a notice January 14 to inform the public and its patients about a late 2019 “data incident.”

Who was affected by the breach?

In November 2019, the hospital discovered that between September 5 and 20 an unauthorized third party accessed seven employee email accounts through phishing.

According to Phoenix Children’s, the breached email accounts stored limited protected health information (PHI), such as full names.

In some instances, patients’ social security numbers (SSNs) and certain health information also were uncovered.

What steps did Phoenix Children’s take after discovering the breach?

Phoenix Children’s sent written notification to 1,860 patients to inform them that certain PHI were stolen during the breach.

Within the notification, the hospital recommended that affected patients should review their credit and debit statements periodically though financial information was not involved.

Those with impacted SSNs received complimentary credit monitoring and identity protection services.

Phoenix Children’s emphasized that the hospital was “taking measures to help prevent this type of incident from occurring in the future” without providing specifics.

The notice further stated that a comprehensive inquiry is currently underway; the hospital is listed on the Office for Civil Rights’ (OCR) ‘Cases Currently Under Investigation’ breach list as a hacking/IT incident.

Between November 2019 and now, OCR lists close to 100 healthcare organizations and over 1 million patients affected; the largest is PIH Health with 199,548 impacted patients.

How can you protect your employees and patients?

While Phoenix Children’s breach may not have been the largest, it still demonstrates how necessary it is to have a strong cybersecurity program in place.

Such incidences should serve as a reminder to remain vigilant about cybersecurity.

Phishing attacks can happen to anyone at any given moment in the health industry as no amount of PHI is too small for cybercriminals.

Take the first steps to ensure HIPAA compliance before a breach occurs by utilizing strong security measures such as email encryption and inbound security.

Copy link
Powered by Social Snap