A Pittsburgh-based health system has suffered a data breach with protected health information stolen.
Described by the Allegheny Health Network as a “data security incident,” the data was compromised between May 31 and June 1. In a statement to patients, the health system said that the compromise occurred after an employee was sent a malicious phishing email link that led to their email account being compromised. The threat actor is then said to have obtained access to files relating to approximately 8,000 patients.
After shutting down the affected email account, AHN ticked off the standard response list for a data compromise. The organization said they implemented preventative and monitoring controls, network blocking and reset passwords. A third-party digital forensic firm has been hired and ongoing efforts are underway to implement additional preventive controls to enhance its security posture and email security controls.
AHN noted that it had not discovered any evidence that the data potentially accessed has been used fraudulently. Potentially compromised data includes patient name, date of birth, medical records, address, patient phone number, driver’s license number and email address. In some cases, Social Security numbers and financial account information may have also been compromised.
Affected patients are being offered two years of identity protection and monitoring services through Experian PLC at no cost.
“Email phishing continues to be a top attack vector across all industries, unfortunately far too often it results in incidents such as this,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “Attackers especially like tricking people into entering their credentials on a fake login site, which they can then use to compromise the email account.”
Kron explained that so much business is done through email, not to mention the ability to reset other account passwords through our email and cybercriminals know that having unfettered access to an account can lead to a windfall for them.
“To protect against the attacks such as this, educating users on how to spot and report phishing attacks, then allowing them to practice the skills through simulated phishing emails, is a key way to reduce risk,” Kron added. “In addition, while not foolproof, ensuring that accounts have multi-factor authentication enabled can significantly improve the security of accounts, especially when credentials are stolen.”