Phishing Attacks at the Doctors Community Medical Center and Washington University School of Medicine

Doctors Community Medical Center in Maryland sent notification to some patients concerning a breach of their PHI.

The discovery of the data breach in January 2020 was due to a suspicious activity detected in its payroll system. A breach investigation verified that some employees got phishing emails in their inbox and were fooled into exposing their account credentials. Apart from obtaining access to the employees’ email accounts, the attackers also got hold of the payroll data of the employees.

As per the investigation, the initial breach of the accounts took place on November 6, 2019 and access probably remained up to January 30, 2020. Doctors Community Medical Center affirmed on February 13, 2020 that there were data files having patient data found in some of the compromised accounts.

Third-party forensic investigators could not confirm whether the attackers had accessed, duplicated or exposed the patient information. Nonetheless. there was no report that indicates the improper use of patient data. Due to the inability to rule out unauthorized data access, notification letters were sent to the patients. Doctors Community Medical Center also offered credit monitoring and identity restoration services at no cost.

The following types of data were potentially compromised: names, birth dates, addresses, Social Security numbers, financial account information, driver’s license numbers, military identification numbers, diagnoses, prescription data, treatment details, provider names, Medicare/Medicaid numbers, medical record numbers, patient IDs, medical insurance details, access credentials and treatment cost details.

The health system is reviewing its policies and programs and modifying it as necessary. More safety measures will be applied to avoid other attacks.

Phishing Attack on Washington University School of Medicine

Washington University School of Medicine is sending notifications to 14,795 oncology patients with regards to the January 2020 breach of their protected health information (PHI) included in an email account.

A research administrator in the Division of Oncology answered a phishing email which resulted to unauthorized access to his email account between January 12, 2020 and January 13, 2020. Subsequent to the discovery of the email breach, Washington University School of Medicine had taken quick action to secure the email account and prohibit further access of the account by the attacker. The investigation is being conducted with the help of a third-party computer forensics firm.

A conscientious evaluation of messages and file attachments in the email account revealed that the following patient information were included: names, birth dates, limited treatment and/or clinical details, including names of provider, diagnoses, laboratory test results, patient account numbers, and medical record numbers. The health insurance details and/or Social Security numbers of a number of patients were compromised as well.

Breach notification letters were already sent to Impacted individuals. Those who had their Social Security numbers possibly exposed got offers of credit monitoring and identity protection services for free.

Washington University School of Medicine already enhanced email security and provided employees with reinforced training on suspicious email identification.