Nine Email-Based Attacks that Targeted U.S. Healthcare Organizations

person using laptop next to stethoscope

Various U.S. industries suffered email-based attacks between the summer of 2018 and fall of 2019. Among these, the education and public sectors received ample media coverage for the incidents that affected their organizations. But that doesn’t mean other segments haven't also experience plenty of attacks of their own.

Take healthcare, for instance. In its analysis of recent email fraud attacks against healthcare organizations, Proofpoint found that the number of campaigns increased 473% between the beginning of 2017 and the end of 2018. This trend, in turn, carried over into 2019, with numerous organizations suffering their fair share of security events.

Here are nine of those email-based attacks that recently targeted U.S. healthcare organizations.

1. UConn Health

Near the end of 2018, UConn Health learned of a security incident in which an unauthorized third party accessed a small number of employee email accounts. An investigation into the incident revealed that the accounts contained personal information including individuals’ names, dates of birth, addresses, Social Security Numbers and limited medical information - including billing details. The inquiry ultimately didn’t find any evidence of fraud or identity theft. Even so, UConn Health decided to notify individuals whose information the accounts might have affected. It also implemented measures designed to strengthen the security of its email systems, and notified law enforcement as well.

2. Navicent Health

Back in July 2018, Navicent Health launched an investigation after learning of a security incident. The second-largest hospital in Georgia also notified law enforcement and retained a digital forensic firm to support its inquiry and recovery efforts. As a result, Navicent Health learned in early 2019 that the incident had in fact affected some of the organization’s email accounts. Data impacted included patients’ names, dates of birth, addresses and limited medical information at the time of compromise. For some individuals, the accounts also contained Social Security Numbers. In response, the hospital sent out letters notifying affected patients about the security incident. It also recommended that individuals review their credit reports and other financial statements for suspicious transactions.

3. Talley Medical Surgical Eyecare

Over the first week of April 2019, Talley Medical Surgical Eyecare Associates in Evansville, Indiana suffered a ransomware attack that affected its network server and other computer systems. SPAMfighter reported that the incident affected upwards of 106,000 patient records stored on those devices. The data records included current and former employees’ demographic data as well as patients’ names, Social Security Numbers, addresses and medical information. Following an investigation, SPAMfighter learned that the healthcare organization managed to regain access to the information affected by the ransomware attack, but it did not learn whether Talley Medical Surgical Eyecare Associates had met the ransomware actors’ demands or whether it had used another means to regain access to its data.

4. Wise Health System

In the middle of May 2019, Wise Health System learned that a small number of customers’ shipping addresses for, a medical suppliers shipping service, had changed. The Washington-based health service looked into the matter and determined that someone had targeted those affected accounts with password brute forcing attacks. They then accessed those accounts and changed their shipping address; in the process, they might have viewed patients’ names, dates of birth, addresses, health insurance information and history of products purchased through the site. Subsequently, Wise Heath System temporarily disabled online account access to affected customers, notified these individuals about the incident and informed law enforcement about what had happened.

5. Baystate Medical Center

According to MassLive, the Baystate Medical Center learned in early-February 2019 that someone had gained unauthorized access to an employee’s email account. It then launched an investigation, an effort which revealed that a total of nine employee email accounts had fallen to a phishing attack. Through those emails, attackers might have viewed patients’ names, dates of birth, health information (including treatments and diagnoses) as well as some health insurance information and Social Security Numbers in a small number of cases. In response, Baystate Medical Center secured each of the affected employee’s email accounts, instituted a password reset for all affected employees, increased its email logging capabilities and strengthened its employee security awareness training program.

6. Oregon Department of Human Services

On January 8, 2019, employees at the Oregon Department of Human Services (Oregon DHS) became the targets of a phishing email campaign. Nine employees opened the phishing email and clicked on an internet link. Doing so gave digital attackers access to their email accounts, which at the time of compromise housed emails containing attachments including client’s names, addresses, dates of birth, personal health information and Social Security Numbers. After employees began reporting problems with their email accounts, the Oregon Department of Human Services launched an investigation, found all of the affected accounts and terminated the phishers’ access. In response to the data breach, Oregon DHS offered free access identity protection services to all individuals affected by the breach.

7. NCH Healthcare Systems

NCH Healthcare System detected a phishing attack in mid-June 2019 when it observed a suspicious email pertaining to its payroll system. A closer look into the attack revealed that 73 employees had opened the email and disclosed their account credentials to fraudsters. Upon hiring a team of forensic investigators, the Naples-based healthcare system found evidence to suggest that the digital attackers had not been interested in stealing patients protected health information (PHI), but had instead sought to redirect payroll payments. That being said, those forensic analysts determined that the attack had also exposed some PHI. NCH Healthcare System therefore advised patients to monitor their benefits statements and accounts for signs of suspicious activity including misuse of information, per the HIPAA Journal.

8. Harbor Medical Group

In mid-June 2019, Harbor Medical Group suffered a ransomware attack after a single employee allegedly opened and clicked on a phishing email. This infection enabled attackers to gain access to many of the Washington-based multi-clinic covered entity’s systems and services. Some of these assets contained patients’ information including their names, addresses, phone numbers, dates of birth, Social Security Numbers, insurance information, diagnoses and treatment data. In response, the healthcare organization began notifying 85,000 patients whose information the attack might have exposed. As reported by Compliancy Group, it also offered them free credit monitoring services while it looked deeper into the incident with the help of the FBI.

9. Brookside ENT and Hearing Center

Brookside ENT and Hearing Center became the victim of a ransomware infection back in April 2019, as reported by Battle Creek Enquirer. This security incident disabled multiple computers in the Battle Creek medical office, rendered years of patient data irrecoverable and burdened the healthcare organization with a $6,500 ransom demand if it wanted to see its information again. Brookside ENT and Hearing Center reached out the FBI about the infection. Its agents explained that the medical office could pay the ransom but that it had no guarantee the bad actors would return access to its data. So the office decided to not pay the ransom and instead closed its doors.

Defending Against Phishing Attacks

The incidents discussed above highlight the need for healthcare organizations to defend themselves against email-borne attacks. To do this, organizations should look to invest in a solution that analyzes incoming emails on multiple levels including their URLs, campaign patterns and malware signatures. It should do this in real-time while allowing legitimate email correspondence to get through.

Learn how ZixProtect can help defend your healthcare organization against email-borne threats.