Presbyterian Healthcare Services is notifying 183,000 patients that an unauthorised individual accessed their personal data.
The hackers gained access to the patient data after successfully fooling several employees into handing over their login credentials through a phishing campaign. The attack occurred on May 6, 2019, and the unauthorised access was not noticed until June 9, giving the hacker over a month of access to the protected health information (PHI).
The accounts contained the dates names, dates of birth, and Social Security numbers of patients and health plan members.
Once the hackers were discovered, IT staff immediately took action to revoke the unauthorised access. An investigation was immediately launched to determine the scope of the breach and whether the integrity of the patient information had been compromised.
The investigators did not uncover the hackers had stolen or altered any patient information. Presbyterian Healthcare Services has yet to receive any reports been received to suggest any PHI has been used in fraud or identity theft.
According to a statement made by Presbyterian Healthcare, the breach affected approximately 183,000 of their 855,000 patients. All affected individuals were based in New Mexico, where Presbyterian Healthcare is located.
“At Presbyterian, we take the responsibility of protecting the privacy of our patients and members very seriously,” President and CEO Dale Maxwell said. “We deeply regret that this event occurred and are committed to taking steps to help prevent this type of incident from happening again.”
Federal law enforcement has been informed of the breach.
Presbyterian Healthcare has offered all affected individuals complimentary credit monitoring and identity theft protection services for 12 months. Patients have been advised to monitor their accounts and explanation of benefits statements carefully for any sign of fraudulent activity.
Presbyterian Healthcare Services has stated that it is implementing new security measures to prevent any further breaches of this nature in the future.
Phishing poses a severe threat to the healthcare industry, with the number of phishing attacks being reported by HIPAA covered entities skyrocketing in recent years. Hackers have become increasingly crafty in designing their phishing emails, making them ever-more convincing and difficult to distinguish from legitimate emails.
A thorough training course is essential in equipping employees with the ability to spot suspicious emails. It only takes one employee to fall for a scam for an entire organisation’s patient database to be placed at risk.