The Austin, Tx.-based Seton Family of Hospitals, part of Ascension health system, has acknowledged a phishing attack on its organization, resulting in the potential exposure of some personal health information for approximately 39,000 patients.
Seton said that it experienced an email phishing attack on December 4, 2014, which targeted the user names and passwords of Seton employees. After launching an investigation, which included computer forensics experts for assistance, it was determined in February of 2015 that the employee e-mail accounts subject to the phishing attempt contained some personal health information for approximately 39,000 patients.
The personal health information in the email accounts included demographic information (i.e., name, address, gender, date of birth, etc.), medical record numbers, insurance information, limited clinical information and, in some cases, Social Security numbers. The hackers did not gain access to individual medical records or billing records, Seton officials said.
Seton said that it is taking steps to mitigate this incident by notifying affected individuals via letter, posting a substitute notice and providing notice to prominent media outlets in the area. Identity monitoring and protection services are being offered free of charge for those whose Social Security numbers have been affected by the incident. Additionally, Seton is working with its e-mail service provider to evaluate ways to enhance its security program.
The healthcare industry is certainly no stranger to phishing attacks. In a recent blog post for Healthcare Informatics, Mac McMillan, CEO of the Austin, Tx.-based CynergisTek and current chair of the HIMSS Privacy & Security Policy Task Force, said, “many of the more serious hacks or malware attacks were preceded by a phishing effort first. We saw random phishing attacks, directed spear phishing and combinations. These attacks are often successful because they prey on peoples emotions, desires, in some cases fantasies, but more often than not, it’s the expectation that recipients are tired, busy or in a hurry and not paying attention.”