On June 6, 2019 the nonprofit health system discovered that an unauthorised third party had gained access to employees’ email accounts through a phishing scam. Subsequently the phishing attack led to the exposure of protected health information.
Following an investigation it was found that the accessed email accounts contained the information of 183,370 patients. Names, dates of birth, Social Security Numbers (SSN) and clinical and/or health plan information were amongst the data exposed.
Currently no evidence has been found indicating that any patient or member data has been utilised and exploited. Additionally it was identified that there was no access to the company’s electronic health record or billing systems. However an investigation is still ongoing.
In a statement, Dale Maxwell, president and CEO of Presbyterian Healthcare Services said:
“At Presbyterian, we take the responsibility of protecting the privacy of our patients and members very seriously.
“We deeply regret that this event occurred and are committed to taking steps to help prevent this type of incident from happening again.”
Presbyterian have since added security to its email system and has notified all those impacted. Patients are also being offered credit monitoring and identity protection services to those whose SSNs were exposed. Furthermore employees are now required to complete annual security training.
This isn’t the first time a healthcare company has been attacked, only last week Massachusetts General Hospital had been a victim of a cyberattack – whereby an attacker had accessed a database exposing personal health information of almost 10,000 patients.
Research conducted by Carbon Black revealed that over the past year 83% of surveyed healthcare organisations have seen a rise in cyberattacks.
Rick McElroy, Carbon Black’s Head of Security Strategy and one of the report authors wrote:
“The potential, real-world effect cyberattacks can have on healthcare organisations and patients is substantial.
“Cyber attackers have the ability to access, steal and sell patient information on the dark web. Beyond that, they have the ability to shut down a hospital’s access to critical systems and patient records, making effective patient care virtually impossible.”