The U.S. Agency for International Development (USAID) had been impersonated in a phishing attack that has ended in the breach of the protected health information (PHI) of roughly 12,000 Utah healthcare provider Revere Health patients. The phishing attack was immediately found by the Revere Health IT group, which rapidly secured the inbox to stop unauthorized access. Based on a breach notice released by Revere Health, the mailbox was merely compromised for about 45 minutes on June 21, 2021.
An investigation of the breach was done to identify whether or not any data in the email account was seen or downloaded. Though it wasn’t possible to know if emails inside of the account were read or exfiltrated, Revere Health mentioned it has scanned the Web and did not uncover any occurrences of patient records being posted on the web.
An analysis of email messages and email attachments established they stored the PHI of patients of the Heart of Dixie Cardiology Department located in St. George. The information contained medical record numbers, dates of birth, provider names, procedures, and insurance service provider names, yet there’s no financial details or highly sensitive information.
Revere Health thinks the goal of the attacker wasn’t to acquire access to patient records but to employ the email account for a much more complex phishing attack on Revere Health staff. Because of the small window of opportunity and the restricted nature of the details included in the account, the danger to patients is seen to be small. Patients were instructed to be wary against any attempted misuse of information.
Nobelium, the Russian threat group associated with the SolarWinds supply chain attack, fairly recently impersonated the US Agency for International Development in a phishing campaign. The campaign is recurring starting in early 2021. The hackers obtained control of the Constant Contact email marketing account employed by USAID, and the account was utilized to transmit convincing phishing e-mails to about 350 agencies. In that campaign, the intention was to transmit malware by impersonating authentic USAID email messages. At the end of May, the U.S. Department of Justice took over two domains being employed in the spear-phishing campaigns.