Phishing attack breaches 38,000 patient records at Legacy Health
According to the notice, officials discovered unauthorized access to some employee email accounts on June 21. However, the access began several weeks before in May 2018. The health system hired a third-party forensic firm to help with its investigation.
Officials determined patient data was included in the breached email accounts, including demographic information, dates of birth, health insurance data, billing details, medical data and for some patients, Social Security numbers and driver’s licenses.
Legacy Health is “implementing additional access restrictions.” All impacted patients were given one year of free monitoring. No further details were provided.
The health system is just the latest to be breached by a phishing attack this year. In fact, the most recent Protenus Breach Barometer found phishing attacks were the greatest cyber threat of the second quarter of 2018.
In July alone, four organizations reported breaches that stemmed from phishing attacks -- the biggest breach was UnityPoint Health with 1.4 million patient records. What’s worse is that it was the health system’s second breach from a phishing attack this year.
Fending off phishing attacks begin with staff education. Many organizations have found success in phishing simulations that test awareness among employees. Network monitoring is also critical to detect abnormal access or user behavior.
Healthcare Security Forum
The Boston forum to focus on business-critical information healthcare security pros need Oct. 15-16.