NCH Healthcare System, an alliance of independent physicians and medical facilities in southwest Florida, began notifying patients February 14 of possible exposure due to a phishing attack in 2019.
The organization sent notifications after several months of investigation into the breach.
The initial attack
Seventy-three employees of NCH fell victim to a phishing attack early 2019, exposing employee credentials.
Suspicious activity was first noticed June 2019 within human resources timekeeping and payroll records; by July, NCH confirmed the attack was a phishing scheme.
The organization believed its separate patient records system remained unaffected in the breach.
The company reported in its initial statement:
“While NCH has no evidence of actual or attempted misuse of information presented in the employee email accounts, in an abundance of caution, NCH is currently undertaking a comprehensive review of the data in those email accounts to confirm what records may be compromised.”
After the investigation
Investigators believe that the threat actor’s sole purpose was to reroute direct deposit funds; there is no evidence that protected health information (PHI) was misused.
While medical records remain secure, the stolen credentials gave access to employee email containing PHI, such as name, date of birth, and financial records.
Less than 5% of patients had their social security numbers affected.
The months-long investigation, however, determined that no one actually viewed the employees’ email.
NCH still informed all necessary individuals of the breach so that they could monitor their financial accounts.
In general, NCH’s response to the breach is one to learn from; from the initial discovery, its investigation, and how it notified patients, NCH did its due diligence to halt further tragedy.
And while NCH’s initial security measures prevented a widespread attack, the company stated “it is implementing additional safeguards to protect the security of information.”
Ultimately, utilizing a strong HIPAA compliant email, such as Paubox Email Suite Plus, would have stopped the phishing emails from reaching employee inboxes in the first place.
SEE RELATED: HIPAA Compliant Email: The Definitive Guide
NCH did encourage all (5,000) employees to review privacy safeguards while also reminding the 73 affected to monitor their accounts.
While the NCH breach is #5 on a list of 21 notable phishing attacks of 2019, the organization’s handling of the situation represents a good teachable moment.