On February 11, 2014, Centura Health, the nonprofit umbrella that owns Mercy Regional Medical Center in Durango, Colorado, experienced a phishing attack on employees that resulted in a breach of privacy that left the personal information of about 1,000 patients accessible to unauthorized individuals. A small group of employees responded to a “phishing” email, in which the attackers posed as a trustworthy individual and emailed employees asking them to provide their email account username and password. Thinking the request was legitimate, several employees fell for the scam.
In Centura’s press release about the breach, which was discovered 10 days later, they immediately hired an external forensics expert to perform a comprehensive review of the affected employees’ e-mail accounts. This review confirmed that some of the e-mails in the accounts did contain patient’s protected health information, including demographic and medical information. There was, however, no evidence that the information in the emails was ever viewed or used in any way.
As a precaution, Centura mailed letters to all potentially affected patients and established a call center to address patient concerns. They are also contacted the appropriate authorities and are taking steps to “implement and/or reinforce necessary protective measures” to help prevent future phishing scams from exposing ePHI in the future. These steps include “immediately stopping the attack, performing an investigation and hiring an outside forensics expert to assist, reinforcing education to all employees regarding ‘phishing’ e-mails, and continuing to implement enhancements for strengthening user login authentication.”
As Chase Olivarius-McAlister points out in his article about the potential breach in The Durango Herald, “Phishing schemes are incredibly difficult for large organizations to thwart because their success relies on human gullibility, rather than technological weakness.”
Training and education are the most effective avenues through which healthcare organizations can work to prevent phishing attacks such as this one from leading to a potentially costly and impactful data breach. In a risk analysis, employee security behavior can be evaluated through simulated phishing attacks. A particularly effective moment to deliver security awareness training is immediately after am employee falls victim to a simulated attack. Eagle Consulting can provide both the analysis and offers very powerful, on-line, real-time employee security awareness training to improve employee competency, reduce dangerous employee behaviors, and reduce the likelihood of a breach such as occurred with Centura Health. Please contact us for details.
