A North Texas mental health services provider has announced that the sensitive files of over 1,800 patients have been compromised in a phishing attack.
Metrocare Services, the largest provider of mental health services in North Texas, discovered the attack on September 4 2018. The organisation took immediate action to secure their network, and an investigation was launched to assess the scope of the attack. The investigators discovered that the hackers gained access to the systems by compromising several employee email accounts. The first account was breached on August 2, 2018.
Phishing is a serious threat to the healthcare industry. Protected health information (PHI) has a huge black market value, making hospitals and medical centers a lucrative target for potential hackers. Most phishing attacks are made in the form of emails; an email is sent to an unsuspecting recipient “spoofing” as a legitimate email from a trusted entity. Often the recipient is prompted to click a URL embedded in the email, and input details into the website to which it links. Hackers may then steal this information and use it to gain access to the organisation’s networks, allowing them to steal files for personal gain. Emails may also contain attachments which, when downloaded, install malware onto a system.
The Metrocare breach investigators were unable to determine whether any emails containing PHI were accessed by the hackers. There is no evidence that any patient information has been used maliciously. The investigation is ongoing.
The types of information that were exposed differed from patient to patient and included data such as names, dates of birth, driver’s license numbers, health insurance information, information relating to services received from Metrocare, and in some cases, Social Security numbers.
In accordance with HIPAA’s Breach Notification Rule, Metrocare started notifying affected patients by mail on November 1. Patients whose Social Security numbers were potentially compromised have been offered 12 months of complimentary credit monitoring and identity protection services. All patients impacted by the breach have been advised to check their Explanation of Benefits statements for healthcare services that have not been received or authorized.
In response to the phishing attack, Metrocare has also given its employees additional training on information security. Workshops on spotting suspicious emails are being held. Many people are accustomed to the “traditional” phishing attack; an unsolicited email requesting money be sent to a certain account, often with poor spelling and grammar. In recent times, hackers have greatly improved the sophistication of their attacks, making it difficult for people to spot legitimate emails from spoofs. As phishing attacks have the potential to cause great damage, it is essential that those working in the healthcare industry have been adequately trained to spot potentially dangerous emails and react accordingly.
In addition to employee training, Metrocare has committed to improving the security of its information technology infrastructure, and email security has been strengthened.