Healthcare Phishing Scam Exposes PHI for 12K Patients in UT

August 25, 2021 - Utah-based health system Revere Health announced it was the victim of a healthcare phishing scam on June 21 that exposed the protected health information (PHI) of 12,000 patients at the Heart of Dixie cardiology department in St. George, Utah.

A Revere Health employee clicked on a link in the phishing email that subsequently compromised their email account. The hacker used the employee’s credentials to remotely log in and view medical records numbers, patient names, birthdates, procedures, provider names, and appointment details.

No payment information was included in the compromised data.

“From our detailed investigation of this incident, we believe that the intent of this attack was to harvest login credentials from individuals in our organization and not to gather patient information,” the announcement stated.

The information was not shared online, and the health system’s IT security team cut off access to the email account within 45 minutes of the cyberattack.

Revere Health suggested that the attacker had three main objectives:

1. To spread phishing emails
2. To gather active usernames and passwords
3. To attempt financial fraud against Revere Health

The health system stated that it had no reason to believe the attacker was interested in patient information, but it is a possibility that they have not completely ruled out.

In its announcement, the health system explained that doctors and staff use EHR systems and secure email servers to conduct patient care.

“While our workforce strives to minimize the amount of sensitive information stored on email servers, some use of patient information in email is necessary for successful clinic operations,” the announcement continued. 

“In this case, the majority of information found in the compromised email account was necessary for the coordination of billing services.”

As a result of the incident, Revere Health updated its security awareness training and suspicious activity detection protocols, along with expediting the implementation of its two-factor authentication software.

Revere Health also said that the health system regularly sends out simulated phishing emails to test workforce awareness.

Although the incident was deemed low risk, Revere Health encouraged impacted patients to monitor their personal data and look out for suspicious activity.

The FBI’s 2020 Internet Crime Report identified phishing as a top cybersecurity threat in 2020. The agency received over 240,000 complaints about phishing with adjusted losses of over $54 million.

In early August, a student health insurance plan fell victim to a phishing attack that exposed students’ PHI. Academic HealthPlans provides insurance to 230 higher education institutions across the country.

A recent report from CyberMDX and Philips found that cybersecurity is not a high investment priority for most hospital IT teams, despite the growing number of attacks since the onset of the pandemic.

The healthcare industry continues to be a target for phishing and ransomware, sometimes at the expense of patients. Understanding common cybersecurity risks and vulnerabilities is crucial for hospitals to maintain high security standards and avoid costly attacks that pose risks to patient safety.