- Charleston, South Carolina-based Roper St. Francis Healthcare and Valley Professionals Community Health Center (VPCHC) in Indiana recently began notifying patients that their data was potentially breached after employees fell victim to targeted phishing campaigns.
Thirteen Roper St. Francis employees fell victim to a large-scale phishing campaign, which was discovered on November 30. Access was blocked upon discovery. Officials said the investigation determined the hacker had access between November 15 and December 15.
Roper St. Francis hired a third-party forensics team to help investigate and determined the email accounts contained a wide range of data that varied by patient. The compromised information could include names, medical record numbers, health insurance details, and medical services.
For a limited number of patients, Social Security numbers and financial data was breached. All patients will receive a year of free credit monitoring. The breach is not yet listed on the Department of Health and Human Services’ Office for Civil Rights breach reporting tool, so it’s currently unknown how many patients were impacted. But Roper St. Francis includes more than three hospitals.
Valley Professionals Community Health Center
About 12,000 patients were impacted by the phishing attack on VPCHC, an Indiana health network that includes seven health centers in Indiana.
A VPCHC employee fell victim to a phishing attempt, in which the hacker sent an email impersonating a health organization that had worked with the health network in the past. The email appeared to be genuine and looked as if it came from a known sender.
As a result, officials discovered suspicious activity from the compromised account on November 27. The account was quickly secured, and officials launched an investigation with help from a third-party forensics team to determine the extent of the attack.
They determined the hacker had access to the account for a month between October 26 and when the breach was discovered. The compromised emails included names, addresses, Social Security numbers, medical record numbers, diagnoses, patient identification numbers, providers, payment information, treatments, procedures, and dates of birth.
For a small group of patients, bank account numbers, health insurance details, and or routing numbers were breached. Officials could not determine what, if any, emails were accessed by the hacker. But 12,000 patients have been notified.
VPCHC has since bolstered its technical safeguards and provided employees with further phishing training and education.
Phishing attacks have continued to pummel the healthcare sector in recent years, as hackers have increased the sophistication of attacks. Often, cyberattacks can go undetected for months, such as those seen in recent notifications from Critical Care, Pulmonary & Sleep Associates, Sacred Heart Rehabilitation Center, Sacred Heart Rehabilitation Center, BenefitMall, and a host of others.
Reducing decisions users have to make around email can help reduce risk, while stronger networking monitoring can more readily detect these attacks.