Phishing Attacks at Hospice Expose PHI, PII
A hospice in Tennessee didn't realize until months after suffering a phishing attack that it may have resulted in the access of sensitive protected health information.
A chain of clinics in middle Tennessee continues to grapple with the fallout from two phishing attacks that appear to have compromised a slew of information, much of it health data, on its patients.
Alive Hospice, an organization that operates three inpatient units in and around Nashville, disclosed the attacks last Friday with a press release and F.A.Q. on its site. The clinics, which specialize in hospice, palliative care, and grief counseling, began mailing notice letters to affected individuals that same day.
One of the phishing attacks occurred on December 20, 2017, but the true extent of the incident wasn't discovered until five months later, in May of 2018. A second attack occurred more recently, on April 5 of this year. The company didn’t realize either attack may have resulted in the access of sensitive data until around May 15 when the hospice was performing a review of its email system.
Judging from the press release an attacker could have a field day with the amount of information jeopardized by the incident.
According to the hospice, information potentially compromised by the attacks includes patient names, dates of birth, Social Security numbers, passport numbers, driver’s license or state identification numbers, copy of birth or marriage certificates, financial account numbers, medical history information, treatment and prescription information, health insurance information, username/email and password information, biometric identifiers, IRS pin numbers, digital signatures, and security questions and answers.
Healthcare Security: Understanding HIPAA Compliance and its Role in Patient Data Protection
If it fell into the wrong hands a cache of information like that could lead to identity theft, tax fraud, credit card fraud, marriage fraud, or at the very least, further phishing attacks - likely of the highly targeted variety. That’s not to say if any of the patients used the same username, email, or password combination for another service, they could be opening themselves up to further repercussions as well.
It's unclear exactly how many of the hospice's patients may have been impacted by the phishing attacks but according to its site Alive Hospice’s facilities collectively serve 430 patients daily, and 2,600 annually.
The hospice insists it has no evidence that the personally identifiable information (PII) or protected health information (PHI) of its patients has been misused but that it's alerting patients so they can take the necessary precautions to protect their data.
Given the incident likely violates HIPAA, the Health Insurance Portability and Accountability Act of 1996, the hospice claims it also reported the incident to the U.S. Department of Health and Human Services, as well as required state regulators. The breach has yet to surface on OCR's HIPAA Breach Reporting Tool (HBRT) - something that could suggest just a delay or that the number of individuals impacted is less than 500
The hospice claims it "took steps to change the user's password on both occasions" but it appears that wasn't enough; the email was all they needed to gain a foothold into the organization.
While it's good the hospice was able to trace the unauthorized activity to the phished email accounts, it's unfortunate it took the facility nearly six months, after it recruited third party forensic investigators, to do so.
It's even more puzzling that once someone got into the hospice's email system, they essentially had the keys to the kingdom, with the ability to gain access to everything from a patient's medical history to their Social Security number.
In wake of the incident the hospice claims its implementing additional safeguards to protect the security of patient information but having a series of measures in place to defend against phishing attacks in the first place could have helped protected Alive Hospice’s data.
A combination of employee education, monitoring, robust policies for data security, and endpoint detection and response, can help employees recognize and avoid phishing attacks, not to mention secure PHI and PII.