26,000 people have information exposed in Colorado phishing incident
A Colorado-based eye care practice reported this past week that a phishing incident had led to the potential exposure of more than 26,000 patients' information.
According to a notice posted to its website, Colorado Retina Associates first discovered that an unauthorized individual had gained access to an employee's work email on January 12.
After a forensic investigation, CRA determined that two user accounts that had patient information may have been synced, or copied, by the bad actors.
"Although CRA could not fully determine whether, and to what extent, the unauthorized individual(s) viewed any personal information, regrettably it is possible, because of the syncing, that some patients’ personal information may have been acquired and could therefore be viewed by the unauthorized individual(s)," wrote system representatives.
WHY IT MATTERS
According to the report submitted to the U.S. Department of Health and Human Services' Office for Civil Rights, 26,609 individuals were affected by the incident.
CRA first discovered the breach when the compromised account was used to send phishing emails to individuals in the employee’s contacts. After securing the email environment, CRA's investigators determined that "there was unauthorized access to certain CRA email accounts."
"Two user accounts that had patient information, may have involved 'syncing' (copying) of the email account by the unauthorized individual(s) between January 6, 2021 and January 17, 2021," continued the statement.
The personal information involved may have included contact information, date of birth, clinical information and some health insurance data.
"For less than 3% of involved individuals, social security numbers were involved, and for less than 0.2% of individuals, driver’s license, financial account, or payment card information was involved," wrote CRA.
In response, CRA required password changes to all authorized employee accounts and made changes to how authorized individuals gain access.
THE LARGER TREND
Although ransomware has been the hot-button cybersecurity topic of late, phishing (often in combination with other attacks) is a tried-and-true method for bad actors.
This past November, some hospitals in Massachusetts reportedly received emails posing as from HHS seeking information about COVID-19 statistics – raising fears about spear phishing attempts aimed at top executives and leading those systems to increase security protocols.
ON THE RECORD
"CRA is reinforcing security awareness through reminders to its entire workforce," read the notice on the website.