Phishing Attack at St. Croix Hospital Compromises PHI of 21,000 Patients
St. Croix Hospice is notifying 21,000 patients that their protected health information (PHI) may have been compromised in a phishing attack.
St. Croix Hospice is a provider of hospice care in Minnesota and Wisconsin. On May 10, suspicious email activity was detected on an employee’s email account. St. Croix Hospice contracted a third-party cybersecurity firm to assist with an investigation into the email account. Investigators discovered that an unauthorized individual gained access to the email accounts of several employees and may have viewed confidential patient information.
Unauthorized access to the account was revoked on May 11, 2019. Investigators determined the hacker first compromised an employee email account on April 23, 2019.
The hacker used a phishing campaign to gain access to the employee email account. Health information has a huge black-market value, making any organization holding such sensitive information, potentially lucrative targets for hackers. A successful phishing campaign can be worth thousands of dollars.
Investigators did not find any evidence to suggest that the information may have been copied, altered, or used for malicious purposes. However, the possibility could not be ruled out definitively.
An extensive systemic review of the compromised email accounts was conducted to identify which patients had had their protected health information exposed. On June 21, 2019, it was confirmed that protected health information had been exposed.
The emails included information such as names, addresses, financial information, Social Security numbers, health insurance information, medical history, and treatment information.
Following HIPAA’s Breach Notification Rule, St. Croix Hospital has sent breach notification letters to all affected patients. They have also offered complimentary credit monitoring and identity theft protection services to reduce the risk that those affected by the breach becoming victims of fraud.
The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows the breach impacted 21,407 patients.
This incident highlights the importance of a thorough employee training course on the dangers of phishing. Employees should be taught to recognize the signs of a phishing email and forward such emails onto the IT department without responding to them in any way. Phishing emails are often well-designed and difficult to distinguish from legitimate emails. However, regular and robust training goes a long way in ensuring the confidentiality, integrity, and privacy of patient information remains intact.