Hackers Increasing Their Attacks on Healthcare Organizations

The Department of Health and Human Services count of major health data breaches shows the healthcare sector to be a growing target for hackers, particularly for hackers using phishing attacks.

As of April 29, the HHS’s website that displays breaches that affected at least 500 people shows 1,213 incidents affecting more than 133.2 million individuals since the HIPAA breach notification rule went into effect in September 2009. The recent attack against Anthem, accounts for 78.8 million of those victims.

One of the most recent breaches on the list was an incident that was reported to HHS on April 24, involving phishing email targeted at employees of St. Agnes Health Care Inc. in Baltimore.

That incident affected nearly 25,000 individuals. The information that was exposed in the attack included patient names, dates of birth, medical record numbers, insurance information, some clinical information and in some cases, Social Security numbers.

Healthcare providers have been increasingly defending against a rising number of phishing schemes. In just the last six months, the University of Vermont Medical Center has seen an increase in phishing attempts, including those that contain malware that attempts to steal credentials.

The key to preventing a phishing scam from causing a breach is to devote the needed resources to testing and training in order to raise awareness among employees. These steps help your employees spot a phishing attempt, which can then be neutralized before any credentials are exploited. Extra vigilance regarding phishing is especially warranted in the wake of massive attacks that have rocked the healthcare sector, including those affecting Anthem, Premera Blue Cross and Community Health System.

The attack on St. Agnes was not the only phishing incident in recent weeks. An attack on Dec. 4 targeted the Seton Family of Hospitals in Texas, affecting 39,000 individuals. The attack targeted the user names and passwords of Seton employees. Affected data included name, address, gender, date of birth, and also medical record numbers, insurance information, limited clinical information and, in some cases, Social Security numbers.

Another phishing-related attack affected roughly 760 patients at St. Vincent Medical Group in Indiana.

As personal information becomes more valuable we can expect to see threats continue to increase. It’s important that all healthcare providers take the steps needed to ensure that they’re protecting themselves and their patients. If you’d like to find out more about ITPAC’s phishing testing and training or other cybersecurity services give us a call today.