Third-Party Phishing Attack Impacts Around 34,862 Lafourche Medical Group Patients
Urgent care center operator Lafourche Medical Group located in Louisiana has informed 34,862 patients regarding a security breach that likely impacted their protected health information (PHI).
Lafourche Medical Group discovered on March 30, 2021 that a third-party accountant had clicked a phishing email that imitated one of the business owners of Lafourche Medical Group and shared account information with the threat actor. The exposed credentials were utilized to acquire access to the company’s Microsoft 365 system.
A third-party IT provider helped with the inquiry, yet located no proof that indicates the breach of its on-site systems or web-based electronic medical record system; nevertheless, the credentials may have been employed to look at or acquire information from its Microsoft 365 account, which comprised a number of patient information. Because of the size of the email system, it was not possible to determine all potential patient data that could have been included in the account, mentioned in the substitute breach notice of Lafourche Medical Group.
Clinical information had not been exposed; nonetheless, emails were utilized to communicate particular patient data for payment and other medical clinic requirements. The types of information usually delivered using email include names, addresses, e-mail addresses, birth dates, dates of service, phone numbers, medical record numbers, insurance, and medical plan beneficiary numbers, guarantor names, diagnoses, treating doctor names, and laboratory test findings.
A better vetting process was put in place for business associates and an independent IT agency was involved to re-examine its computer system and security procedures and to suggest guidelines for bettering data protection. Various measures were already enforced to strengthen security, which includes fortifying the firewall and spam and adware and spyware filters, applying stricter password guidelines, placing multi-factor authentication for mobile access, and retraining the workers on cybersecurity, phishing, and social engineering.