Reliable Respiratory, a respiratory care provider, has announced that it has fallen victim to a phishing attack.
Reliable Respiratory, based in Norwood, MA, stated that IT staff discovered the breach when they detected suspicious activity on an employee’s email account on July 3. The organisation immediately launched an investigation, which revealed that a hacker had gained access to the email account when the employee responded to a phishing email. The hacker harvested their email credentials and used them to gain access to Reliable Respiratory’s network.
The healthcare facility hired third-party security consultants to assist with the investigation and to determine the extent of the breach. The investigators confirmed that the hacker gained access to the account between June 28 and July 2.
Healthcare organisations are potentially lucrative targets for hackers. Protected health information (PHI) has a substantial black market value. Hackers that design phishing campaigns may earn a substantial profit for relatively little effort. Phishing campaigns are particularly successful as only one employee need respond to a phishing email for the hacker to gain access to potentially hundreds of data files.
The investigators checked each email in the account to determine whether the hacker had accessed any sensitive information. While investigators could not ascertain whether the information in the account had been viewed or copied, the possibility could not be ruled out.
The types of information exposed differed per individual but may have included name, medical diagnoses, treatment information, medication/prescription information, medical record number, health insurance information, bank or financial account information, driver’s license or state identification number, Social Security number, claims/billing information, date of birth, credit or debit card information, username and password, and passport number.
In response to the breach, Reliable Respiratory has introduced new security controls to prevent phishing and other cyber attacks. Controls were already in place before the attack, but the hacker managed to bypass them. Reliable Respiratory is reviewing and updating its policies and procedures to prevent further attacks.
Following HIPAA’s Breach Notification Rule, the healthcare facility is sending breach notification letters to affected patients. The letters provide further information on how they can reduce the risk of identity fraud. Reliable Respiratory advises all patients to monitor their accounts carefully for any suspicious activity.
This phishing attack highlights the importance of employee awareness of the dangers of cybercrime. Training courses should be held regularly updating employees on new methods of mitigating the risk of such attacks and reminding them of how to spot phishing emails. As can be seen in the case of Reliable Respiratory, it only takes one employee to mistakenly respond to a phishing email for PHI to be put at risk.
Reliable Respiratory has reported the breach to state regulators and the Department of Health and Human Services’ Office for Civil Rights. At the time of writing, the number of patients impacted by the incident is unknown.