140K Patients Impacted in Tandem Diabetes Care Phishing Attack
Several Tandem Diabetes employee email accounts were comprised during a three-day period after a phishing attack; an insider incident, email hack, and more phishing complete this week’s breach roundup.
By - About 140,000 patients of Tandem Diabetes Care are being notified their data was potentially compromised after several employee email accounts were compromised during a phishing attack. Tandem is a medical device manufacturer based in San Diego, California.
On January 17, Tandem first discovered a hacker gained access to an employee email account through a phishing campaign. Upon discovery, the account was secured and investigation was launched to determine the scope of the incident.
The investigation determined several employee email accounts were compromised for three days between January 17 and January 20. The affected accounts contained a range of patient data including details related to customers’ use of Tandem products or services, clinical data about diabetes therapy, and Social Security numbers, for a limited number of patients.
Patients whose Social Security numbers were impacted will receive a year of free credit monitoring and identity protection services. Tandem notified impacted healthcare providers, along with a general public notification.
The vendor will continue to invest in its cybersecurity and data protection safeguards and plans to bolster its email security controls and user authorization and authentication. Tandem also limit the type of data permitted to be shared by email.
Monthlong Phishing Attack on University of Utah Health
READ MORE: Hackers Target WHO, COVID-19 Research Firm with Cyberattacks
University of Utah Health recently began notifying some of its patients that a monthlong phishing attack potentially breached their sensitive data.
According to its notice, officials discovered unauthorized access to some employee email accounts between January 22 and February 27. The access occurred between January 7 and February 21, stemming from a phishing scheme sent to several employee email accounts.
The account was secured, and a cybersecurity firm was engaged to assist with an investigation. Officials said they determined the impacted accounts contained patient data such as, names, dates of birth, medical record numbers, and some clinical information about care received at the facility.
During the investigation, officials discovered a malware infection on an employee workstation. Once secured, officials said they found the malware allowed access to some patient information from the affected email account, including patient names, dates of birth, medical record numbers, and clinical data.
University of Utah Health is continuing to investigate the incident, while reviewing information protocols, reinforcing employee security policies, and implementing changes where needed.
Oregon Department of Health Reports Another Phishing Incident
READ MORE: OCR Shares COVID-19 Cyber Scam Advice, as Hackers Impersonate WHO
One year after notifying 645,000 patients that their data was potentially breached, the Oregon Department of Human Services is again reporting a healthcare data breach stemming from another phishing incident.
Oregon DHS first reported in March 2019 that nine employees fell victim to a targeted phishing campaign, which compromised the data contained in 2 million emails. At the time, an estimated 350,000 patients were affected, which was later updated to 645,0000 after an extended investigation.
The latest phishing incident was discovered in one employee email account on March 6. Officials said the agency’s IT security processes allowed for quick detection and containment to stop the unauthorized access.
The investigation determined a spear phishing email was sent to a DHS employee, who opened the email and provided credentials to the threat actor. Officials said they’re unable to determine if any client or employee information was copied or used inappropriately during the incident.
Currently, DHS is reviewing the incident to determine what information was involved. Officials said they intend to engage with a third-party team to identify the number and identities of patients impacted by the event, as well as the type of information.
READ MORE: Illinois Public Health Website Hit With Ransomware Amid Coronavirus
Those patients will receive free theft protection services to potentially impacted employees and clients. Officials said they intend to provide further notice once more information is gathered.
Golden Valley Health Employee Email Compromise
An undisclosed number of patients from Golden Valley Health Centers in California are being notified that their personal information was potentially breached after the compromise of an employee email account.
It’s unclear by the notification when the compromise began or how long it occurred before discovery. But an investigation determined on March 3 that patient information was contained in the account accessed by an unauthorized user. The information included medical data, billing and insurance details, patient referral information, and appointment records.
Golden Valley Health is currently retraining employees and reviewing and revising its security, policies, and procedures.
Insider Incident at Hawaii Pacific Health
Straub Medical Center, part of Hawaii Pacific Health, recently discovered an employee had been snooping on patient records over the last five years.
First discovered in on January 17, officials said they launched a review to determine the scope. By analyzing access logs, they determined the employee first began viewing patient files without authorization in November 2014 until they were caught by officials in January.
The patients impacted by the event received treatment at Wilcox Medical Center, Straub Medical Center, Pali Momi Medical Center, and Kapiolani Medical Center for Women & Children. The employee accessed a range of patient information, including names, contact details, primary care physician names, appointment types, dates of service, clinical notes, medical record numbers, and demographic data, as well as Social Security numbers, health plan names, and guarantor names.
In total, over the course of five years, the employee was able to access and view the medical records of 3,772 patients. Hawaii Pacific Health terminated the employee at the close of the investigation. Officials said they believe the access was driven by curiosity, but data theft could not be ruled out.
Patients will receive a year of free credit monitoring and identity restoration services. Hawaii Pacific is currently reviewing and updating its internal procedures and plans to further train employees on patient privacy. Officials said they’re also looking into new tech that could better identify unauthorized access and track anomalous employee behavior.
Insider incident continue to plague the healthcare sector. Of the 41.4 million patient records breached in 2019, 3.8 million were caused by insiders. While the number decreased by 20 percent from 2018, detection continues to be problematic. Protenus recommends the use of advance tech to better detect insider incidents.
