- Florida-based Health First notified 42,000 patients that their personal data may have been exposed for three months after several employees fell victim to phishing attacks.
The breach was reported to the Department of Health and Human Services in October. DataBreaches.net was able to obtain further details, which found several employee email accounts were hacked by phishing scams between February and May 2018.
Once the cyberattacks were discovered, officials blocked access to the impacted accounts and changed the passwords. Health First has since implemented new security measures.
According to officials, the investigation found a limited number of emails were viewed. Furthermore, the hack appeared to focus on the phishing scam itself rather than obtaining personal data. But the accounts did contain protected health information and those patients have been notified of the breach.
The hack compromised some patient data and gave the cybercriminals access to these accounts for a limited period. Officials did not explain when they first discovered the attack, nor why it took until October to report the breach to HHS. Health First did not respond to a request for comment by time of publication.
Health First is just one of many healthcare organizations this year to report a breach that went undetected for several months.
Just last month, North Carolina-based Catawba Valley reported that while officials were investigating a phishing attack in August, they discovered a hacker had access to three email accounts for more than a month. A similar attack on Gold Coast Health plan breached 37,000 patient records for a month.
In fact, the Minnesota Department of Human Services was recently under fire by state officials for a breach of 21,000 patient records that went undetected for more than a month. An October hearing outlined the crux of the issue: limited resources and a lack of security talent to “perform deep analysis.”
These security incidents serve as a critical reminder of the need for better network monitoring and access management to better detect suspicious activity.