NCH healthcare concludes breach investigation, notifies affected patients

Featured image

Share this article

NCH healthcare concludes breach investigation, notifies affected patients

NCH Healthcare System, an alliance of independent physicians and medical facilities in southwest Florida, began notifying patients February 14 of possible exposure due to a phishing attack in 2019.

The organization sent notifications after several months of investigation into the breach.

The initial attack

Seventy-three employees of NCH fell victim to a phishing attack early 2019, exposing employee credentials.

Related: Why Investing in Ongoing Cybersecurity Training is Good Business

Suspicious activity was first noticed June 2019 within human resources timekeeping and payroll records; by July, NCH confirmed the attack was a phishing scheme.

The organization believed its separate patient records system remained unaffected in the breach.

The company reported in its initial statement:

“While NCH has no evidence of actual or attempted misuse of information presented in the employee email accounts, in an abundance of caution, NCH is currently undertaking a comprehensive review of the data in those email accounts to confirm what records may be compromised.”

After the investigation

Investigators believe that the threat actor’s sole purpose was to reroute direct deposit funds; there is no evidence that protected health information (PHI) was misused.

While medical records remain secure, the stolen credentials gave access to employee email containing PHI, such as name, date of birth, and financial records.

Less than 5% of patients had their social security numbers affected.

The months-long investigation, however, determined that no one actually viewed the employees’ email.

NCH still informed all necessary individuals of the breach so that they could monitor their financial accounts.

The takeaway

In general, NCH’s response to the breach is one to learn from; from the initial discovery, its investigation, and how it notified patients, NCH did its due diligence to halt further tragedy.

And while NCH’s initial security measures prevented a widespread attack, the company stated “it is implementing additional safeguards to protect the security of information.”

Ultimately, utilizing a strong HIPAA compliant email, such as Paubox Email Suite Plus, would have stopped the phishing emails from reaching employee inboxes in the first place.

SEE RELATED: HIPAA Compliant Email: The Definitive Guide

NCH did encourage all (5,000) employees to review privacy safeguards while also reminding the 73 affected to monitor their accounts.

While the NCH breach is #5 on a list of 21 notable phishing attacks of 2019, the organization’s handling of the situation represents a good teachable moment.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022