Despite being in the middle of a pandemic, hackers have wasted no time in stealing patient and personal data. Here is a summary of cybersecurity breaches that occurred over the year to several healthcare entities:
Florida Orthopaedic Institute (FOI): a ransomware attack inserted malware on their servers. Administrators were able to quickly secure the system, but the investigation found that patient data was potentially exfiltrated or accessed during the attack. 640,000 patients were impacted.
Magellan Health: a sophisticated ransomware attack hit their servers, compromising the data of 365,000 patients. Hackers gained access by leveraging a social engineering phishing scheme that impersonated a Magellan Health client five days before the ransomware was deployed.
BJC Healthcare (Missouri): a phishing attack was detected by its security team on the same day it occurred, however the data was still compromised, impacting about 288,000 patients.
Benefit Recovery Specialists (Missouri): employee credentials were hacked to gain access to the insurer’s systems and deploy malware, breaching the data of 274,837 patients from several providers and payers that use them for billing and collections services.
Ambry Genetics (California): This clinical genomic diagnostics vendor suffered an email hack which compromised the data of 232,772 patients. The hacker gained access through an employee’s email.
Northwestern Memorial Healthcare: 56,000 donors and patients were notified that their personal records were accessed due to a data breach by one of their software vendors (Blackbaud) where an unauthorized party had gained access to Blackbaud’s systems.
Northshore Health System: 348,000 patients, employees, and/or donors were notified that their personal records were accessed due to a data breach by one of their software vendors (Blackbaud), where an unauthorized party had gained access to Blackbaud’s systems.
University of Kentucky Healthcare: 163,000 patients, employees, and/or donors were notified that their personal records were accessed due to a data breach by one of their software vendors (Blackbaud), where an unauthorized party had gained access to Blackbaud’s systems.
Roper St Francis Healthcare (South Carolina): 92,963 donors were notified that their personal records were accessed due to a data breach by one of their software vendors (Blackbaud), where an unauthorized party had gained access to Blackbaud’s systems.
Not all breaches are related to cybersecurity, but implementing cyber secure practices are still critically important. For example, the following data breaches occurred this year:
Health Share of Oregon: The theft of a laptop owned by their transportation vendor compromised the data of 654,000 patients.
Elite Emergency Physicians and St. Joseph Health System (Indiana) reported a security incident involving the improper disposal of patient records, impacting 550,000 patients through their third-party record storage vendor.
There was also an increase in phishing campaigns related to the coronavirus. For example, emails that looked like they were from the Center for Disease Control (CDC) were actually hackers trying to access data by luring the receiver into clicking the malicious link.
Some may even look like they are coming from your employer, creating a sense of urgency to click on a link.
As you can see, breaches can occur in various ways, including accidental exposure by employees. Here is what Discovery is doing to remain cyber secure:
- Making sure remote connections are secure
- Training employees on what social engineering, phishing, and ransomware attacks look like and how to prevent employees from clicking on malicious links. Monthly training is required as part of Discovery’s ongoing commitment to security
- Updating our vendor management process to prevent third-party incidents and breaches
- Annual attestation to policies to help remind and educate Discovery’s workforce of our compliance, security, and privacy practices
Quick tips for recognizing and avoiding coronavirus-themed phishing emails
- Beware of online requests for personal information. A coronavirus-themed email that seeks personal information like your Social Security number or login information is a phishing scam. Legitimate government agencies won’t ask for that information. Never respond to the email with your personal data.
- Check the email address or link. You can inspect a link by hovering your mouse button over the URL to see where it leads. Sometimes, it’s obvious the web address is not legitimate. But keep in mind phishers can create links that closely resemble legitimate addresses. Notify/forward the email to your security team and delete the email.
- Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation, and grammar errors, it’s likely a sign you’ve received a phishing email.
- Look for generic greetings. Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam” can be a signal that the email is not legitimate.
- Avoid emails that insist you act now. Phishing emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information—right now.