Atrium Health announced on its website Friday that it will be sending notifications to certain patients and employees who may have been affected by a malicious email sent to some of the health system’s employees on April 29.
The health system in Charlotte, North Carolina, said its electronic health records are separate from its email system and were not affected by the incident.
WHY IT IS IMPORTANT
Atrium, part of Advocate Health, the third-largest not-for-profit health system in the United States, recently learned that an unauthorized third party had gained access to a limited number of employee email accounts via the original phishing email sent on April 29.
Based on an ongoing investigation, the health system said it appears the unauthorized party had access to the compromised account for one day, until April 30. The health system said the unauthorized third party’s activity did not target medical or health information in employees’ email inboxes.
Atrium, which operates in Winston-Salem, North Carolina, Georgia and Alabama, is sending warning letters to patients and employees whose personal information may have been exposed in the incident.
The social engineering attack may have gained access to, among other things:
- First and/or last name.
- Street address.
- Email address.
- Citizen service number.
- Date of birth.
- Medical file number.
- Driver’s license or state issued identification number.
- Bank or financial account numbers or information.
- Treatment/diagnosis.
- Recipe.
- Health insurance and/or treatment cost information, such as patient identification numbers and health insurance account or policy numbers.
To minimize the risk of similar incidents, Atrium is providing additional phishing training and education to its employees and free credit monitoring and identity protection services to those involved in the attack.
THE BIGGER TREND
The most popular method of attack is phishing emails. These can provide access to employee email accounts. Malicious actors can then attack networks, payment systems and more.
Threat actors are also targeting healthcare information technology help desks by posing as employees to trigger password resets on employee accounts. In June, the Federal Bureau of Investigation and the Department of Health and Human Services issued an advisory about cyber threat actors using email and phone calls to steal healthcare payments.
The FBI and HHS said that after posing as Revenue Cycle or Administration employees to gain access, they diverted legitimate payments.
“Phishing is the most common way hackers gain access to healthcare systems to steal sensitive data and medical information,” said Melanie Fontes Rainer, director of the Office for Civil Rights, in December when OCR announced the first settlement for a HIPAA data breach involving a phishing attack.
While “Atrium apologizes after employees were misled by email fraud,” one report in The Charlotte ObserverThe rise of generative artificial intelligence has only increased the volume of attacks, improving the quality and quantity of phishing emails.
ON THE RECORD
“Atrium Health is not aware of any attempted or actual misuse of patient or personal information. There is no evidence that personal information was accessed as a result of the phishing attack,” the healthcare provider said in a statement.
Andrea Fox is Editor-in-Chief of Healthcare IT News.
Email address: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.
The HIMSS Healthcare Cybersecurity Forum is scheduled for October 31-November 1 in Washington, DC More information and registration.