3 Orgs Fall Victim to Separate Phishing, Email Security Incidents

May 04, 2022 - Phishing attacks remain a reliable method for threat actors looking to gain network access and compromise data.

Employee education, web filters, and cyber hygiene can help healthcare organizations prevent phishing attacks. 

Valley View Hospital Faces Phishing Scam, 21K Impacted

Glenwood Springs, Colorado-based Valley View Hospital Association issued a breach notification stating that an unauthorized actor gained access to four employee email accounts in January 2022.

“Valley View promptly secured the email accounts to prevent any further unauthorized access and engaged a forensic security firm to investigate the incident and confirm the security of Valley View’s email and computer systems,” the notice stated.

On March 29, Valley View determined that the accounts contained personal information. According to information obtained by the Post Independent, the breach potentially impacted about 21,000 people. The unauthorized access was the result of a phishing scam.

Valley View’s notice stated that it did not believe that any personal information was removed from its system. The health system began mailing letters to potentially impacted individuals on March 19.

“We want to assure our patients that we are taking this matter very seriously,” the notice continued. “We deeply regret that this incident has occurred and greatly value the trust our patients have placed in Valley View.”

CT Dental Implant and Periodontics Provider Suffers PHI Breach

Fairfield County Implants and Periodontics (FCIP) began notifying patients of an email data security incident that impacted 10,502 individuals. The Connecticut provider discovered a compromised email account on March 2, 2022.

An investigation revealed that the email account contained Social Security numbers, health insurance information, names, addresses, birth dates, phone numbers, medical history, email addresses, and treatment information.

“While FCIP does not have evidence that any information contained in the email account was used for fraudulent purposes, FCIP is unable to conclusively rule out the possibility that personal information was compromised,” the letter stated.

As a result, FCIP began notifying impacted patients on April 15 and offered free identity theft protection services.

“FCIP plans to implement additional safeguards and assess its privacy and security controls to further strengthen its data security and help prevent future incidents such as this,” the letter concluded.

“Fairfield County Implants & Periodontics takes its patients’ privacy and the security of information very seriously and deeply regrets any inconvenience this incident may have caused.”

Los Angeles Department of Mental Health Falls Victim to Phishing Attack

The Los Angeles County Department of Mental Health suffered a “malicious cyberattack” that compromised client information, a notice on its website stated.

The Office for Civil Rights (OCR) data breach portal showed that the incident impacted 5,129 individuals. The department said it fell victim to a cyberattack between October 19 and October 21, 2021, and delayed its investigation and notification at the request of law enforcement.

“Specifically, a malicious actor or actors was able to obtain the log-in credentials for the Microsoft Office 365 accounts of three of our employees through a phishing email attack,” the letter explained.

“The phishing emails originated from a trusted business partner whose email server the actor or actors had compromised and then used to send multiple phishing emails to our employees. We believe that the cyber-attack may have provided the attacker with access to certain personal information, as described below.”

The phishing attack potentially exposed Social Security numbers, driver’s license numbers, medical information, health insurance information, names, birth dates, addresses, and financial account numbers.

On April 21, the department said it completed mailing notifications to impacted individuals. The notice on its website serves to notify clients whose contact information was not found.

“Following this incident, we are reviewing and updating our security policies, procedures, and controls. We have also notified Microsoft of the vulnerability in the Microsoft Office 365 multifactor authentication that was exploited by the malicious actor or actors,” the notice continued.

“Although we have no evidence that any personal information has been misused, we encourage potentially affected individuals to remain vigilant for any suspicious activity on any of their accounts.”