Phishing attack on Manitowoc County breaches PHI for 3 months

Hackers hijacked an employee email account and diverted emails sent to the account to another account for which the county did not have access.
By Jessica Davis
01:02 PM
Share
Phishing attack on Manitowoc County breaches PHI for 3 months

A phishing attack on Manitowoc County in Wisconsin potentially breached personal healthcare information for about three months.

Officials discovered the breach on April 24; however, the hackers began accessing a Manitowoc County email account “on or around” Jan. 14. The hacked email account was immediately secured, but the unauthorized access went on for about three months.

During the event, the cybercriminals diverted emails sent to the impacted account to a different email account to which the county did not have access, officials said. The investigation couldn’t rule out a breach, nor did officials determine whether the data was misused or sold.

[Also: The biggest healthcare data breaches of 2018 (so far)]

The breached data included demographic and health information for all individuals who received health services through the county, including insurance details, prescriptions, diagnoses, client ID numbers and other medical information. This type of information is often used by cybercriminals for medical fraud.

Officials did not specify how many individuals were included in the breach, and it’s not yet listed on the Department of Health and Human Service breach portal. Officials said all impacted individuals have been notified.

The length of time until discovery is notable and highlights the need for all organizations to ensure they have proper ID and access management in place that would allow IT to better detect any unauthorized access or abnormal activity on the network, such as the diverted emails.

Especially as healthcare and government entities have continued to be targeted by hackers this year, security monitoring is crucial. In March, a ransomware attack on the city of Atlanta shut down the city for a number of days and cost the city millions to recover.

And in January, a hack on an Oklahoma state health services network breached the data of more than 275,000 patients.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com