JESSICA KIM COHEN October 23, 2019
A phishing scam targeting employees at Kalispell
Regional Healthcare may have compromised health information of nearly 130,000
patients, the Montana health system confirmed.
Kalispell discovered the phishing incident, in
which several employees unknowingly provided login credentials to hackers in
response to a "well-designed email," this summer, according to
a notification the system posted online Tuesday. Those
hackers may have gained unauthorized access to Kalispell's IT systems as early
as May 24.
Kalispell said it launched an investigation and
disabled the compromised accounts upon discovering the data breach.
The investigation on Aug. 28 determined that up
to 129,641 patients may have had health information accessed in the breach,
which could have included names, medical record numbers and Social Security
numbers.
Kalispell has offered free fraud consultation
and identity theft restoration services to all patients who were affected in
the breach. Some patients were also offered a year of web or credit monitoring
services, depending on what information was exposed.
To date, there is no evidence patient
information exposed in the breach has been misused, according to Kalispell.
"We are committed to protecting patients'
privacy and have taken steps to prevent similar events from occurring in the
future," said Craig Lambrecht, Kalispell's president and CEO, in a statement. "In addition, the organization will work
with the authorities to hold the perpetrators accountable for this attack
against patients' privacy."
Kalispell officials stressed the system's
commitment to cybersecurity. During its most recent annual review and threat
assessment, cybersecurity consulting firm CynergisTek had said the health
system was in the top 9% of healthcare organizations for data security
readiness, according to a Kalispell spokesperson.
David Finn, executive vice president of
strategic innovation at CynergisTek, said the company doesn't comment on work
with its customers, but said its framework for assessing data security readiness
includes evaluating compliance with HIPAA and the National Institute of
Standards and Technology's cybersecurity framework.
"Your risk posture is never the same from
moment to moment," he said. "You plug new things into your network,
you change systems, you hire new people, and all that changes your risk
posture. Security is very fluid … Nothing is 100% in the security world."
There's been a marked increase in email breaches in recent years.
Since 2017, email has been the primary outlet
through which health data is exposed, according to data from the HHS' Office
for Civil Rights, the agency that maintains the government's database of healthcare
breaches. In previous years, healthcare organizations and their business
associates were more likely to attribute breaches to theft of paper records or
laptops.
No comments:
Post a Comment