Atrium Health announced on its website Friday that it is sending notices to some patients and employees who may have been affected by a malicious email sent to some health system employees on April 29.
The Charlotte, North Carolina-based health system noted that its electronic medical records are separate from its email system and were not affected by the incident.
WHY IT MATTERS
Part of Advocate Health, the third largest nonprofit healthcare system in the United States, Atrium recently discovered that an unauthorized third party had accessed a limited number of employee email accounts via a phishing email originally sent on April 29.
Based on an ongoing investigation, the health system said it appears an unauthorized third party accessed the affected account for a period of one day, through April 30. The health system said the unauthorized third party activity did not focus on the content of medical or health information in employee email inboxes.
Atrium, which operates in Winston-Salem, North Carolina, Georgia and Alabama, is sending letters to patients and employees whose personal information may have been exposed in the incident.
Information that may have been accessed in a social engineering attack includes:
- First name and/or last name.
- Street address.
- Email address.
- Social Security Number.
- Date of birth.
- Medical record number.
- Driver’s license or state-issued identification number.
- Bank or financial account number or information.
- Treatment/diagnosis.
- Prescription.
- Information about health insurance and/or treatment costs, such as patient identification number and health insurance account or contract number.
To reduce the risk of similar incidents, Atrium said it will provide additional training and education about phishing scams to its employees, as well as offer free credit monitoring and identity protection services to those involved in the attack.
THE BIGGER TREND
The most common attack style is a phishing email which can open access to an employee’s email account and then the attacker can move on to attacking networks, refund payment systems, etc.
Threat actors are also targeting healthcare IT help desks by posing as employees to trigger password resets on employee accounts. In June, the Federal Bureau of Investigation and the Department of Health and Human Services issued an advisory about cyber threat actors using emails and phone calls to attempt to steal healthcare payments.
After posing as management or revenue cycle employees to gain access, they diverted legitimate payments, the FBI and HHS said.
“Phishing is the most common way hackers can gain access to the health care system to steal sensitive data and health information,” Melanie Fontes Rainer, director of the Office for Civil Rights, said in December when OCR settled its first HIPAA data breach for a phishing attack.
While “Atrium apologizes after email scam fools workers,” a report noted in Charlotte ObserverThe growth of artificial intelligence only enhances attacks, improving the quality and quantity of phishing emails.
ON THE RECORD
“Atrium Health is not aware of any attempt or misuse of personal or patient information and there is no evidence that any personal information was accessed as a result of a phishing attack,” the provider said in a statement.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31 through November 1 in Washington, DC. Learn more and register.
