The assisted living facility provider DePaul has announced that a successful phishing attack on its networks has compromised patient data.
DePaul, which operates facilities in New York, North Carolina, and South Carolina, discovered the breach on February 1, 2019. IT security staff immediately took steps to secure the compromised account and block the unauthorised individual’s access.
Phishing attacks against health organisations have become increasingly common in recent years. Health data have significant black-market values, making them potentially lucrative targets for hackers. A successful phishing or ransomware campaign can earn a hacker thousands of dollars with minimal effort on their part.
DePaul launched an investigation into the breach. The investigators determined that the hacker only compromised one email account. The hacker appears to have gained access by fooling an employee using a phishing campaign. The email account contained approximately 41,000 emails. The investigators checked the emails to determine whether they contained any sensitive information.
The data were linked to patients of DePaul’s behavioural health program. While the vast majority of emails did not contain private medical or psychiatric information, a small number of emails contained information such as first and last names, dates of birth, or Social Security numbers.
The threat actor behind the attack appears has gained access to the account to use it to send further phishing emails. The investigators did not find any information to suggest the attacker viewed or copied emails containing sensitive information.
While DePaul has not found evidence that individuals are at risk of fraud, they have offered complimentary credit monitoring services for one year to individuals who had Social Security numbers compromised. DePaul will be providing staff with additional training to improve resilience to phishing attacks.
The breach has yet to be uploaded to the HHS’ Office for Civil Rights breach portal, so it is currently unclear exactly how many individuals have been affected by the breach.