Portland, OR-based provider Legacy Health discovered an unauthorized individual gained access to its email system and the protected health information (PHI) of approximately 38,000 patients.
It discovered the data breach on June 21, 2018, though the email accounts were first breached in May. Legacy Health determined that access was gained through employees being duped by phishing emails.
Email breaches can take a considerable amount of time to investigate. Tools to scan email accounts for protected health information are available; but many of the emails in compromised accounts need to be individually checked, which can mean manual reviews of hundreds of thousands of messages. (According to the provider’s spokesperson Kelly Love, “[The provider] has been moving at as fast a pace as [it] can to be thorough and clear.”)
Email phishing attacks aren’t just targeted at healthcare providers who have five hundred employees. We’re seeing more and more attacks targeted at smaller practices, as they typically don’t have as robust training and support as larger providers to guard against these attacks.
How can you protect your practice from this type of attack? Through training. Every employee who uses a computer in your practice MUST know what to look out for, and how to handle something that looks suspicious.