Phishing Shifts Focus to Impersonation; Health Care More Vulnerable Than Other Industries

Two new reports indicate that health care is more vulnerable to phishing attacks than other industries that handle sensitive personal information, even as those attacks are getting more effective, with a massive increase in impersonation emails.

The reports, each from a different security consulting firm, come at a time when HIPAA covered entities and business associates are grappling with increasingly sophisticated phishing attempts that seek to steal credentials and gain access to protected information. Some phishing attempts even have been trying to capitalize on the shift to the European Union’s General Data Protection Regulation by sending out emails referencing the GDPR and asking recipients to update account information.

Recent breaches related to successful phishing include incidents at:

◆ Gold Coast Health Plan in California, where hackers compromised the email account of one employee and attempted to move money from the health plan into their own account.

◆ In-home health care provider Aspire Health, based in Nashville, Tennessee, where a hacker gained access to one employee’s email account and forwarded 124 emails containing protected health information (PHI).

◆ Reliable Respiratory, a respiratory care provider located in Norwood, Massachusetts, in which a hacker obtained login credentials and subsequently accessed PHI on 21,311 people.

◆ The Minnesota Department of Human Services, where two employees fell for a phishing attempt, ultimately causing a breach involving 21,000 patient records.

In addition, Anthem Inc. last month agreed to pay $16 million to OCR and take “substantial corrective action” due to a breach that resulted from a successful phishing attack. OCR’s investigation revealed that between Dec. 2, 2014, and Jan. 27, 2015, attackers stole the PHI of nearly 79 million individuals (see related story, p. 1).

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field