Phishing Attack at East Central Indiana School Trust Affects 3,200 Individuals

East Central Indiana School Trust (ECIST) is notifying more than 3,200 individuals that a phishing attack may have compromised their protected health information (PHI).

On May 22, 2019, the organization noticed suspicious activity on an employee email account. ECIST immediately took steps to secure the account and revoke the unauthorized access.

ECIST launched an investigation into the incident and discovered that on May 19, 2019, an employee responded to a phishing attack and therefore disclosing their email account credentials to an unauthorized individual. The hacker used these credentials to access the account, which contained sensitive data.

ECIST hired a third-party computer forensics company to investigate the breach and investigate the scope of the attack. ECIST wished to determine whether sensitive information was compromised or stolen in the attack.

The investigators did not uncover any evidence to suggest emails in the account were copied, altered, or exfiltrated by the attacker, but the possibility of unauthorized data access and theft could not be ruled out.

The compromised email account contained information such as employees’ and dependents’ names, dates of birth, Social Security numbers, driver’s license numbers, prescription details, health insurance information, and some medical information.

As ECIST was unable to rule out whether a hacker had accessed sensitive information, the decision was taken to send breach notification letters to all affected individuals informing them of the breach. The letter included information on how to mitigate the risk of the individuals falling victim to identity fraud.

The breach has been reported to the HHS’ Office for Civil Rights as potentially impacting up to 3,259 trust members’ employees and their dependents.

This incident shows how important it is that organizations adequately train all of their employees in cybersecurity best practices; a single employee replying to a phishing email was enough for the network to be compromised and for 3,200 individuals to be in danger of being defrauded.