Chase Brexton Health Care has notified 16,000 patients of a possible data breach after bad actors targeted its employees with a phishing attack.
The event in question occurred around 2-3 August 2017. At that time, Chase Brexton employees received a bogus email survey that provided attackers with access to their email accounts upon completion. Before the American clinical services provider had time to warn its staff, four employees had completed the survey. Those behind the phishing attack subsequently abused that access to reroute victim’s paychecks to a bank account under their control.
Chase Brexton changed the passwords on the four compromised email accounts. Even so, it’s concerned the attackers could have caused more significant long-term harm while they still had access. As the health provider explains in a “Notice of Data Security Incident” posted to its website:
“Chase Brexton does not believe that the unknown perpetrator(s) looked at any emails that were not related to payroll, however, there is no way to know which messages in the email were or were not read. It was determined that these email boxes did contain personal health information from several patients, including the following: patient name, patient ID number, date of birth, address, provider name, diagnosis codes, line of service, service location, visit description, insurance, and medication information.”
At this time, there’s no evidence to suggest the attackers have abused patients’ electronic health records (EHR) in any way. But in the interest of data security, it decided to notify 16,562 patients whom the incident might have affected. Those individuals can expect to receive a written notice about the data breach in the mail, correspondence which will include guidance on how they can protect themselves against identity thieves.
In the meantime, Chase Brexton has notified the U.S. Department of Health and Human Services and the Maryland Attorney General about the incident, hired a third-party investigator, installed new email filters, conducted phishing training with its employees, and implemented new security measures in an effort to protect patients’ EHR.
For information on how your organization can protect its EHR system, download this whitepaper.
News of this phishing attack follows a few weeks after American managed health care company Aetna set up a program to provide immediate relief to victims of an incident that disclosed patients’ personal health information (PHI).