Connecticut Department of Social Services (DSS) sent a notification about a potential breach of the protected health information (PHI) of 37,000 persons due to several phishing attacks that happened from July to December 2019.
Several email accounts were compromised and were employed to mail spam emails to a number of DSS employees. The investigation of the breach affirmed the incident as a phishing attack. A thorough investigation was performed utilizing state information technology resources and a third-party forensic IT company. But the investigators did not find any evidence that suggests the attackers got access to patient information in the email accounts. The DSS breach notice stated that the forensic experts could not establish that the hackers didn’t access personal data because of the huge volume of emails involved and the form of the phishing attack.
As a precaution, DSS offered identity theft protection services to people and took steps to enhance email security and better shield against phishing attacks later on.
Phishing Attack on Mercy Iowa City Impacts More Than 92,000 People
Mercy Iowa City has begun informing 92,795 people regarding the potential compromise of some of their PHI due to a phishing attack. The attack affected only one email account giving an unauthorized person access to it from May 15, 2020 to June 24, 2020. The email account was employed to launch more spam and phishing email messages.
An analysis of the breached account showed it contained information such as names, birth dates, driver’s license numbers, Social Security numbers, treatment data, and medical insurance data. Mercy Iowa City offered free one-year credit monitoring services to those who had their driver’s license number or Social Security numbers potentially exposed.
Mercy Iowa City has applied extra security solutions to stop more attacks, such as multi-factor authentication for email accounts.
Phishing Attack on LSU Health Care Services
The Louisiana State University (LSU) Health New Orleans Health Care Services Division announced a potential compromise of data of its patients from several hospitals in Louisiana due to the access of an employee email account by an unauthorized person.
The unauthorized access of the email account happened on September 15, 2020. LSU discovered the attack on September 18 and immediately disabled the email account. An investigation of the incident did not uncover any proof that the unauthorized person accessed or obtained patient information in the email messages and attachments.
The breached email account was found to contain the protected health information of patients of the hospitals listed below:
Bogalusa Medical Center in Bogalusa
University Medical Center in Lafayette
Interim LSU Hospital in New Orleans.
Leonard J. Chabert Medical Center in Houma
Lallie Kemp Regional Medical Center in Independence
O. Moss Regional Medical Center in Lake Charles
The types of data possibly compromised varied from one patient to another and location of medical center but may have included names, contact numbers, birth dates, addresses, medical record numbers, account numbers, Social Security numbers, dates of service, types of services acquired, insurance ID numbers, and some financial account details and health data. The investigation into the attack is not yet finished, however to date “thousands” of patient data are known to have been exposed.
Presently, LSU Health is assessing additional security steps to better defend against other attacks. Employees also received extra information and security awareness training.