September 2017 – Cyber Security Summary

October 12, 2017

The amount of healthcare breaches has increased slightly since August 2017, yet individuals/records affected has decreased during this same time period. In the month of August, healthcare providers experienced 28 breaches with 695,225 individuals/records affected; yet in September, healthcare providers experienced 36 healthcare breaches with only 445,702 individuals/records affected. Contributing to these breaches in September were a few phishing schemes, a stolen laptop, and a data hack exposed via Twitter.

 

Since the beginning to the year

Since the beginning of 2017, there have been 1,080 total data breaches causing almost 171 million records to be compromised. Out of those, the healthcare industry accounted for 289 breaches and about 4.6M records compromised. The healthcare industry experience 26.8% of total breaches and 2.7% of records compromised.

 

SMART Physical Therapy Hack Exposed via Twitter

A hacking group known as TheDarkOverlord announced a successful attack on a U.S. healthcare provider, SMART Physical Therapy. The hack reportedly occurred on September 13, 2017, with the announcement of the data theft disclosed by TDO on Twitter on September 22, 2017. The database contained a wide-range of information on 16,428 patients, including contact information, dates of birth, and Social Security numbers.

 

Network Health Phishing Attack Impacts Over 51,000 Plan Members

Network Health notified 51,232 of its plan members that some of their protected health information (PHI) has potentially been accessed by unauthorized individuals. In August 2017, some Network Health employees received sophisticated phishing emails. The compromised email accounts contained a range of sensitive information including names, phone numbers and addresses, dates of birth, ID numbers, and provider information. The company took prompt action by contact Federal law enforcement officials. Network Health is offering one year of free identity theft protection and monitoring to affected customers.

 

Stolen Laptop from Mercy Health Love County Hospital and Clinic Leads to Credit Card Fraudulence

On June 23, 2017, the hospital discovered an employee had stolen a laptop computer and paper records from a storage unit used by the hospital. The theft of PHI was initially investigated by the Love County Sheriff’s Office and revealed the former employee had used the stolen information to fraudulently obtain credit cards in the patients’ names. A second individual is also understood to have been involved. Only ten patients were directly affected and we notified immediately.

 

Two Employees Hooked By Phishing Attack at Morehead Memorial Hospital, 66,000 Patients Impacted

Morehead Memorial Hospital in Eden, NC has announced two employees have fallen victim to a phishing attack that resulted in an unauthorized individual gaining access to their email accounts. The types of information exposed includes names, health insurance payment summaries, health insurance information, treatment overviews, and a limited number of Social Security numbers. After the discovery, the hospital performed a network-wide password reset. Phishing scams like this happen often in the healthcare field, as emails are sent to healthcare employees that look authentic and once a link is clicked on and login details are entered, it provides hackers with the credentials to login to those accounts. The hospital reported that the breach impacted roughly 66,000 patients and it was reported to the FBI, Department of Homeland Security and Office of Civil Rights.