Breach Notification , Data Breach , Fraud

Partners HealthCare Reports Breach

Latest Phishing Attack One of Many in Healthcare Sector
Partners HealthCare Reports Breach

Partners HealthCare System is the latest healthcare organization hit by a data breach attributed to a phishing attack.

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

The Boston-based integrated health delivery network, which operates several hospitals, including Massachusetts General, says it is notifying 3,300 individuals that their protected health information may have been compromised by a phishing attack late last year.

In a statement, Partners says on Nov. 25, 2014, it learned that a group of its workforce members had received phishing emails and provided information in response to the email, believing the messages were legitimate.

Partners says it conducted a comprehensive review of the affected email accounts and determined that some of the emails contained patient demographic information, such as names, addresses, dates of birth, telephone numbers and, in some instances, Social Security numbers, and some of its patients' clinical information, such as diagnosis, treatment received, medical record numbers, medical diagnosis codes, or health insurance information.

However, the organization's electronic health records system was not compromised by the attack. Upon learning of the phishing scheme, Partners says it took steps to secure the email accounts and contacted law enforcement. Partners also began an investigation into the phishing attack on the organization, including working with an expert computer forensic firm.

"To date, Partners HealthCare has no evidence that any patient information in the emails has been misused," the organization says. However, as a precaution, Partners is recommends that affected patients regularly review the explanation of benefits statement that they receive from their health insurers. If patients identify services listed on their explanation of benefits that they did not receive, they should immediately contact their insurer.

Rise in Phishing Attacks

The official federal tally of major health data breaches also shows that the healthcare sector continues to be a growing target for hackers, including those waging phishing attacks.

As of April 29, the Department of Health and Human Service's "wall of shame" website of breaches affecting 500 or more individuals shows 1,211 incidents affecting more than 133.2 million individuals since September 2009, when the HIPAA breach notification rule went into effect. One incident, the recent hacking attack against health insurer Anthem Inc., accounts for 78.8 million of those victims.

Among the breaches most recently added to the list is an incident involving phishing email targeted at employees of St. Agnes Health Care Inc. in Baltimore, which affected nearly 25,000 individuals.

Also, recently added to the federal tally was a phishing incident at Seton Family of Hospitals in Texas. The healthcare organization revealed last week that a phishing attack that occured in December, but discovered in February, affected 39,000 individuals.

Other healthcare entities have also been defending against a spike in phishing schemes. Over the past six months, the University of Vermont Medical Center has seen an uptick in phishing attempts, including those "laced with malware in an attempt to steal credentials," says CISO Heather Roszkowski in a recent interview with Information Security Media Group.

"I've really been trying to increase user awareness training around phishing to avoid those credentials from being exploited," she says. This extra vigilance in defense of phishing comes in the wake of massive hacking attacks in the healthcare sector, including those affecting Anthem, Premera Blue Cross and Community Health System.

VA Under Attack

During a media briefing on April 30, Steph Warren, CIO of the VA, says the VA also has seen "a rampant increase" in malware and intrusion attempts in recent months.

Last November, the VA blocked 15 million intrusion attempts in one month. By March, that number had climbed to 350 million, he says.

As for malware, the VA blocked or contained about 300 million malicious software last November, but by March, that monthly number had exploded to 1.2 billion.

"It's something that concerns us. If we're not able to knock this back, as some point we'll be overwhelmed."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network