Patient data exposed for months after phishing attack on Sunspire
Several employees of Sunspire Health, a nationwide network of addiction treatment facilities, fell victim to a phishing email campaign, which may have exposed personal patient information for about two months.
Hackers were able to access some employee email accounts between Mar. 1 and May 4, but officials did not become aware of the cyberattack until sometime between April 10 and May 17. Officials did not give an explanation as to why the discovery took more than a month.
Sunspire did not respond to a request for comment.
The impacted email accounts contained names, dates of birth, Social Security numbers, medical data like diagnoses and treatments, and health insurance information.
Officials are continuing to investigate the scope of the incident and have added technical and administrative security protections, along with further employee training to prevent another breach. All patients are being notified and offered a year of free credit monitoring.
While officials have notified the U.S. Department of Health and Human Services, the number of patients impacted by the breach haven’t been posted to the breach reporting tool.
Sunspire is the second provider this week to report a months-long breach after a phishing attack. Two employee email accounts of Tennessee-based Alive Hospice fell victim to phishing and were breached for one to four months, potentially giving hackers access to troves of data.
Hackers continue to pummel the healthcare sector with phishing attacks. Manitowoc County, CareFirst, Onco360, Aultman Health Foundation and several others have fallen victim this year. They should serve as a reminder to implement continuous monitoring to better detect abnormal behavior on a network and to ensure employees are trained to detect suspicious emails.
Hackers, data breaches and other pressing security matters will be among the topics experts discuss at the upcoming HIMSS Healthcare Security Forum in Boston, Oct. 15-16. Register here.