Analecta Cyber Company Blog: Phishing Attack Hit Metropolitan Jewish Health System

2016-04-18

Phishing Attack Hit Metropolitan Jewish Health System

Phishing attacks on medical facilities remain a big threat, especially attempts to access private health information and medical data. A common type of attack uses email to trick healthcare employees into opening infected attachment files. The attackers could also deceive hospital staff  into clicking on links that direct them to malicious websites that download malware, all in an attempt to access sensitive information such as login credential.

Around the start of the year, Metropolitan Jewish Health System Inc. (MJHS) fell victim to a phishing attack. Investigations revealed that employees' email accounts had been compromised. And the breach was left undiscovered for four days. This period gave the hackers more than enough time to gather the information they needed. Further investigation is needed to check if the scheme affected any other email accounts.

Immediately after the healthcare organization discovered the incident, the compromised email account was shut down. Investigations then uncovered that a total of 2,483 patients’ protected health information could possibly have been compromised. Currently, there seems to be no evidence of any misuse of the patients’ information.

Included in the list of patients affected by the cyber phishing attack were those who had previously received medical examinations and treatment from Menorah Center for Rehabilitation and Nursing Care, MJHS Home Care, MJHS Hospice and Palliative Care Inc., and MJHS Institute for Innovation in Palliative Care. Members of Elderplan Inc. were also assumed to have been affected by the data breach.

Information that may have been compromised consists of the following: member and patient names, ID numbers, treatment dates, medical diagnoses and corresponding treatment facilities they visited.

Bogus emails

Like other phishing attacks, the hacker pretended to be someone else and managed to obtain access to the email account. The email appeared to be genuine, and the employee did not notice anything suspicious about it

MJHS is now conducting supplementary training to re-educate employees on the risks of phishing attacks. Their ultimate aim is to eliminate the likelihood of future attacks compromising the personal health information of their patients. To further strengthen the user authentication controls, they are implementing a review on their email security protocols.

At present, there are existing email spam filters that could be used as a measure to intercept spam emails. But we all know that these are never completely effective. It is still essential to conduct a regularly train employees with the best practices in line with proper email security that could help them identify phishing emails. They could even implement test attacks on their own medical facilities to verify the adequacy of existing security protocols as well as test out the phishing email detection skills of their employees.