Phishing attacks breach Alive Hospice for 1 to 4 months

Two employee email accounts were breached by phishing attacks, which potentially gave hackers access to a trove of highly sensitive data that varied by patient.
By Jessica Davis
10:07 AM
Share
Phishing attacks breach Alive Hospice

Credit: Alive Hospice on Facebook

Two employees of Tennessee-based Alive Hospice fell for phishing attacks, which potentially breached patient data for one to four months.

During a review of their email system on May 15, officials discovered unauthorized access to two separate employee email accounts that began on December 2017 for one account and around April 5 for the other.

Officials launched an investigation with a third-party forensics team and changed the impact users’ passwords. The investigation determined the impacted accounts contained personal information.

While the breached data varied by patient, it included a vast store of highly-sensitive information including: Social Security information, passport numbers, driver’s licenses or state identification cards, copies of marriage and or birth certificates, financial data, medical histories, IRS pin numbers, digital signatures -- and even security questions and answers.

Officials said there was no evidence this data was accessed, but this type of data can be leveraged by hackers for a wide-range of activities from sale on the dark web to medical fraud.

Alive Hospice is continuing to work with its investigation team to identify and establish resources to help impacted patients, officials said. They’ve also added additional security features since discovering the incident. Notification letters were sent to impacted patients on July 13.

[Also: The biggest healthcare data breaches of 2018 (so far)]

The breach highlights the need for organizations to implement continuous monitoring of its systems. The process helps both with proactively identifying risk areas and vulnerabilities, along with the capability of monitoring any abnormal activity on a network.

Alive Hospice did not respond to a request for comment by the time of publication. The breach has not yet appeared on the U.S. Department of Health and Human Services breach reporting tool.

Phishing attacks, data breaches and other pressing threats will be among the topics discussed at the upcoming HIMSS Healthcare Security Forum in Boston, Oct. 15-16. Register here.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com