A phishing attack at Family Physicians Group, Orlando, has resulted in 8,400 patients having their protected health information (PHI) compromised.
The breach was identified on August 21, 2018. An official investigation into the breach revealed that a staff member’s email account was accessed by an unauthorised individual, with access first gained on August 7. It was discovered that the hacker gained access to the account when the staff member in question responded to a phishing email.
Due to the high black-market value of healthcare information, organisations such as hospitals and clinics are frequent targets of these attacks. Although HIPAA requires certain technical safeguards to be in place to minimise the risk of phishing emails from reaching the inbox of employees, due to the sophisticated nature of these attacks, some get through. Even if one employee were to respond to the email, the entire network is compromised. Although employees are often trained in spotting phishing emails, the training is often infrequent and inadequate, and human error is inevitable.
Family Physicians Group, owned by Humana, is one of the biggest providers of healthcare for Medicare and Medicaid beneficiaries in Central Florida. The organisation operates 22 clinics in the region. It is estimated that 8,400 patients had their PHI compromised in the data security incident.
Patients who were affected by the breach were made aware of the incident on December 28, 2018. It has still not been revealed why it took in excess of 4 months to send notifications to patients. In accordance with HIPAA’s Breach Notification Rule, patients should be notified without “undue delay”, and no later than 60 days after the breach was discovered. It is likely that there will be some repercussions due to the Family Physicians Group’s tardiness in sending the breach notification letters.
A review of the emails in the compromised account showed that a number of messages contained the protected health data of patients. No financial information or Social Security numbers were included in any of the correspondence. The breach was restricted to names, dates of birth, physicians’ names, and health insurance data.
Family Physicians Group have stated that there is no evidence that any patient information has been used for malicious purposes, but advices all affected patients to monitor their accounts for suspicious activity.
The organisation has changed all email passwords as a precautionary measure and has enhanced its email application and put in place additional security measures to prevent future phishing attacks.