News Feature | June 30, 2015

Indiana Health System Falls Victim To Phishing Attacks

Christine Kern

By Christine Kern, contributing writer

Hospital

Attack used phishing emails to access employee emails

Experts have been warning to watch for malware and phishing attacks, and now Beacon Health System found out first-hand how real the threat it. The South Bend, IN-based health system has announced it had been the subject of a phishing attack in which employee emails – some of which contained patient information – were accessed according to a Beacon news release.

During an investigation of the “sophisticated cyberattack,” Beacon discovered certain email boxes had been accessed between November 2013 and January 26, 2015. The investigation has uncovered no misuse of information, but because the attack exposed personal and protected health information of some individuals, Beacon began notifying affected individuals on June 5.

The breach affected some 220,000 patients, according to Data Breach Today.

In the release, Beacon, which oversees Memorial Hospital in South Bend and Elkhart General Hospital, assured patients “there is no evidence of any actual or attempted misuse of personal or protected health information belonging to Beacon Health system patients.”

“While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes,” Beacon’s news release read. “The majority of accessible information related only to patient name, doctor’s name, internal patient ID number, and patient status (either active or inactive).”

Information accessible via the emails included Social Security number, date of birth, driver’s license number, diagnosis, date of service, as well as treatment and other medical record information, the statement explained.

Following the standard procedure in cases of a potential breach of PHI, Beacon is providing one year of free identity and credit monitoring and restoration services to affected individuals, as well as access to a confidential assistance line and an identity theft protection specialist. In addition, Beacon has stated it is currently reviewing its policies and procedures and will implement additional layers of security to prevent such an event from happening again.

The event is another reminder that healthcare organizations must be ever vigilant in their layers of security, and highlights the importance of multi-factor authentication security measures such as encryption or data and the use of email to share PHI. In fact, healthcare is dead last in email security according to a recent Agari State of Email Trust report, indicating the industry as a whole has to pay closer attention to these types of threats.

Security and privacy expert Kate Borten told Data Breach Today, “Email – or at least any confidential email – going outside the organization’s local network should be encrypted. And increasingly, healthcare organizations are doing just that.” However, she cautioned, phishing schemes trick users into volunteering their email login credentials, making encryption moot. “Although encryption is an essential protection when PHI is sent over public networks, and stored somewhere other than within IT control, it is only one of many, many security controls. There’s no silver bullet.”