Academic Medical Provider Says 3 Employee Email Accounts Were Compromised
Michigan-based academic medical provider Henry Ford Health is notifying nearly 170,000 individuals that their protected health information was breached in a recent phishing scam compromising three employees’ email accounts.
The Detroit-area healthcare organization – which includes five hospitals and 33,000 employees, including 6,000 physicians and researchers – reported the phishing business email compromise to Maine’s attorney general on Tuesday. Of the 168,215 affected individuals, two were Maine residents.
Henry Ford Health in a statement posted on its website said the incident had occurred on March 30 and that the organization had secured the affected email accounts and launched an investigation.
“During the forensics portion of the investigation, we determined on May 16 that protected health information was contained in the email boxes and could have been accessed by the bad actor,” Henry Ford Health said.
Henry Ford Health then investigated which patients had been affected and began to notify them. The organization said it does not know whether information contained in the compromised email accounts was accessed or viewed.
The information stored in the affected email accounts includes patient name, gender, birthdate, age, lab results, procedure type, diagnosis, date of service, telephone number, medical record number and internal tracking number, Henry Ford Health said.
“As a result of this incident, we are implementing additional security measures and providing additional training to employees about recognizing the signs of suspicious email and what to do if they receive one,” Henry Ford Health said.
A snapshot Thursday of the Department of Health and Human Services’ HIPAA Breach Reporting Tool website showed 372 major health data breaches affecting nearly 44 million individuals so far in 2023.
Of those, 68 breaches – including 49 hacking/IT incidents and 19 unauthorized access/disclosure breaches affecting a total of more than 1 million individuals – were reported as email compromises.
Henry Ford Health did not immediately respond to Information Security Media Group’s request for additional details about the phishing incident.
As of Thursday, the Henry Ford Health phishing incident is the third-largest email breach posted on the HHS Office for Civil Rights’ website so far this year, following hacking incidents affecting 239,000 individuals and 194,000 individuals, respectively, reported by health insurer HighMark Inc. and Community Psychiatry Management, which does business as Mindpath Health.
The IBM Cost of a Data Breach report released this week found that phishing is the most common attack vector, accounting for 16% of attacks. Business email compromises accounted for 9% (see: Data Breach Cost Control: Practice and Preparedness Pay Off).
Despite employee awareness training and other efforts to reduce the risk of employees falling for phishing and social engineering schemes, fraudsters are constantly finding new ways to lure victims – including through the use of generative AI tools.
For instance, researchers at cloud security firm Netenrich said in a report this week that on Telegram earlier this month they had spotted an AI bot marketing itself as FraudGPT that offers features such as writing malicious code and creating phishing pages and emails (see: Criminals Are Flocking to a Malicious Generative AI Tool).
Phishing training has different levels of complexity and difficulty, said Wendell Bobst, senior security consultant at tw-Security. “Organizations should continue to increase the difficulty of their phishing campaigns or training. We know attackers will take advantage of emerging tools, including ChatGPT and other AI-powered systems,” he told ISMG.
With that in mind, organizations must plan for users’ mistakes and deploy critical technologies, including advanced threat protection in email systems, Bobst said. Email protection should include attachment processing and link validation at the time the email is routed to the recipient – and when the recipient clicks the email, he said. “Attackers can set up a compromised site or alter a legitimate site shortly after the email is processed by the organization’s email service,” he said.
Security teams also should deploy advanced endpoint protection such as anti-malware software on all organizational workstations. “These vendors can quarantine malicious code based on its behavior or signature,” Bobst said.
Finally, entities should deploy strong mobile device manager controls on all devices that access organizational email or any organizational systems, he said.
“It’s not a losing battle when organizations are sufficiently motivated and recognize the risks around human behavior. Unfortunately, it comes at a price: higher costs for security controls and more restrictions on where sensitive information can be used or stored.”