Skip to main content

HHS Warns of New Phishing Scam Targeting Healthcare Orgs

by Chris Brook on Tuesday February 28, 2023

Contact Us
Free Demo

The latest phishing campaign targeting the industry involves a convincing looking Evernote landing page.

Like most industries these days, the healthcare industry is no stranger to phishing attacks.

One of the latest involves convincing a recipient that they've received a secure message. While the email comes with a generic-sounding “Business Review” subject line, in actuality, the scam is an attempt to harvest the victim’s credentials, potentially so they can be used as a way for attackers to carry out business email compromise (BEC) attacks in the future.

The Health Sector Cybersecurity Coordination Center, a division of the Department of Health and Human Services that helps to identify, correlate, and communicate cybersecurity information across the Healthcare and Public Health (HPH) sector, warned about the campaign in an alert to healthcare organizations last week.

The scam relies on tricking an individual into opening an attachment, something that in turn directs users to a convincing looking Evernote site. If the user follows through and opens it, they're led to an HTML download - classified as a malicious phishing Trojan by the Health Sector Cybersecurity Coordination Center - that tries to ply the user out of their login, whether its Outlook, IONOS, AOL, or some other email.


While malicious spam and phishing attempts are a dime a dozen these days, what makes this scam interesting is that it's framed around delivering a secure message, something that could make it more convincing to some users, especially as the healthcare industry necessitates secure, HIPAA-compliant communication.

The victim organization logo adorns both the email signature and the fake Evernote page, something that employees may not second guess, either.

The email looks similar to a legitimate Cisco Secure Email Encryption Service email, too. It even contains a link to initiate a new email message, through Cisco's website, and the same text that Cisco Secure Email Encryption Service emails contain: “If you have concerns about the validity of this message, contact the sender directly.”

Defenders will want to pay attention to the indicators of compromise (IOCs) provided in the alert, along with a series of mitigations and workarounds. While many are common sense these days - use unique passwords, don't open emails from senders you don't know, etc. - they could prove valuable for new hires and those just getting started with working with healthcare systems and sensitive data.

While security awareness training has helped better prepare employees and defenders alike from phishing attacks, they're still enormously effective. According to Verizon's 2022 Verizon Data Breach Incident Report (DBIR), 35% of ransomware attacks involved the use of email, proving the technique still one of the most useful avenues that bad actors can use to gain a foothold into an organization.

Paying extra attention to the email's sender along with being wary of opening attachments from senders you don't know can go a long way when it comes to preventing a phishing attack.

Despite being such a data-ripe industry, the Health Sector Cybersecurity Coordination Center has only been around since 2018; plans for the center were born in the wake of 2017's WannaCry ransomware attack.

Over the last few weeks, the Center has really ramped up its alerts to healthcare stakeholders. Since the beginning of the year its warned organizations about security risks associated with cloud services and providersIoT threats, ransomware – in April it warned of the "exceptionally aggressive" group Hive – and web application attacks.

Tags:  Healthcare Phishing

Chris Brook

Chris Brook

Chris Brook is the editor of Digital Guardian’s Data Insider blog. He is a cybersecurity writer with nearly 15 years of experience reporting and writing about information security, attending infosec conferences like Black Hat and RSA, and interviewing hackers and security researchers. Prior to joining Digital Guardian–acquired by Fortra in 2021–he helped launch Threatpost, an independent news site that was a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.

Get the latest security insights
delivered to your inbox each week.