Analecta Cyber Company Blog: New Jersey Facility Leaks Employee Information Following Phishing Attack

2016-03-30

New Jersey Facility Leaks Employee Information Following Phishing Attack

A month ago, Saint Joseph’s Healthcare System in New Jersey announced that information for approximately 5,000 staff members may have been compromised. Several potential victims currently employed in a number of their facilities have been recently targeted with a phishing scam putting them at the risk of identity theft. The facility has been one of the recent potential victims of data breaches caused by phishing scams which have affected their employees.


According to St. Joseph’s vice president of external affairs, affected locations include facilities in Paterson, Wayne and Cedar Grove. He added that local and federal authorities had been immediately notified, including the system’s insurance carrier. It is believed that patient data and medical information were not affected. However, hackers may have potentially accessed employees’ names, Social Security numbers and employee earnings for the years 2015 and 2016. Luckily, data compromised did not include dates of birth, addresses and banking information of their staff.

Signs of sophistication

Investigations showed that there was no indication that the incident was an internal crime. It was identified as an extremely sophisticated phishing scam which included a named company executive using an internal email. According to the management, there was no sign of intrusion or breach in the internal IT system and no data was compromised.

As a policy, all affected employees will be provided with free credit monitoring. The hospital's executives have put their main focus on protecting their employees and credit health. Additionally, in response to the event, proper protocols will be put in place to mitigate such event from happening again.

Reports of other potential data breaches included inappropriately disposed of devices and mis-mailings. By the end of last year, an Iowa-based pharmacy unintentionally disposed of an external hard drive containing personal information of some of its customers. But the organization believed that some of the data had been encrypted. Potential victims have been informed in which, according to the OCR data breach reporting tool, have affected about 2,300 individuals.

Another case involved a facility in Michigan that reported a mistake through mailings affecting roughly 700 patients. This incident had lead to a certain degree of information exposed to wrong individuals. At this point, every affected individual has been notified.

These cases of data breaches, whatever the cause may be, should be taken seriously by these facilities involved, as information accessed through these can be used in fraudulent activities including identity theft. Medical facilities should always try to educate their staff on security and safety protocols as well as to exert efforts in improving internal system security.