Phishing attack risks leak of 80,000 patient records

Washington University School of Medicine employee responded to a phishing attempt masked as a legitimate request in December, but medical school officials didn’t learn of the incident for seven weeks.
By Jessica Davis
11:37 AM
Share

A Washington University School of Medicine employee fell victim to a phishing attack that may have compromised 80,270 patient records.

The medical school learned of the incident on Jan. 24 -- seven weeks after the phishing attack occurred on Dec. 2, officials said in a statement. The employee responded to a phishing email designed to look like a legitimate request.

As a result, an unauthorized party may have gained access to employee email accounts, which contained patient information including names, birth dates, medical record numbers, diagnosis, treatment and some included Social Security information.

At 80,000 records, the medical’s breach is one of the biggest this year. Hackers have expanded attack methods on healthcare from ransomware to incorporate phishing. A March Evolve IP study found that more than 68 percent of healthcare organizations have compromised email credentials and more than 76 percent of these stolen passwords are up for grabs on the dark web.

The organization said it secured the email accounts and began an investigation once it learned of the breach, according to officials. The incident was reported to law enforcement, and letters were sent to affected patients on March 24.

“We regret any inconvenience this incident may have caused our patients,” officials said. “To help prevent such incidents in the future, we are reinforcing education with our staff and faculty of existing protocols and university resources regarding phishing emails.”

The organization is also reviewing ways to strengthen user login authentication and business practices, officials added.

Twitter: @JessiefDavis