Growing plague: Cybercriminals hit yet another health-care provider

Hospitals and other health-care providers continue to be at the top of the list for cybercriminals. The attacks have become a “near-universal experience” in U.S. health-care organizations, according to a new study from the Healthcare Information and Management Systems Society. Hackers prize the data because it includes sensitive personal information.

The latest health-care provider to suffer a serious data breach is Kalispell Regional Healthcare, a Montana-based hospital system. According to a recent report from local Montana newspaper The Flathead Beacon, Kalispell Regional Healthcare recently informed its customers in an email that roughly 129,000 patients have been compromised. The data breach occurred over the summer when multiple employees took the bait in a phishing attack.

According to the Kalispell Regional Healthcare email, which was written by chief executive officer and president Craig Lambrecht, the attack allowed hackers to access patient records such as “their name, address, medical record number, date of birth, telephone number, email address, medical history, and treatment information, date of service, treating and referring physician, medical bill account number and/or health insurance information.” To add to the problems of the data breach, it is estimated that roughly 250 patients had their Social Security numbers stolen.

Kalispell Regional Healthcare, in addition to notifying federal authorities of the attack, employed the services of the New York cybersecurity firm Kroll. Following confirmation of the attack, Kalispell Regional Healthcare also states that they locked employee email accounts while scrubbing their network and beginning the preliminary investigation.

The Kalispell Regional Healthcare email also states that “although there is no indication that the information was misused, we are offering you 12 months of credit and identity monitoring services at no charge as an extra precaution.” While this is a good start, it really is a minor Band-Aid on a completely avoidable attack. Phishing attacks aggressively target health-care providers because of the wealth of data that can be gleaned from a database. This data can then be used to execute countless schemes such as identity theft.

Since this is common knowledge, especially considering the thousands of well-documented hacking attempts executed against health-care databases by cybercriminals, it stands to reason that hospitals and other resources should prepare their employees accordingly. The fact that multiple employees fell for this social engineering phishing scam shows that Kalispell Regional Healthcare had not done its due diligence and is now paying the price.

Featured image: Flickr / Blogtrepreneur

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Azure Windows Virtual Desktop: Avoid the fresh hell of stale user sessions

This tutorial on Azure Windows Virtual Desktop and stale users can help you cut down…

42 mins ago

Phishing campaign spoofs domain, targets computer vendors

A convincing-looking phishing campaign purportedly from a Texas government agency is targeting computer vendors in…

4 hours ago

Top 5 cybersecurity innovations and why they’re drawing in the money

With attackers making use of every vulnerability, our sense of security has turned into insecurity.…

7 hours ago

Have you really tested your disaster recovery plan?

How do you simulate a disaster to see whether your disaster recovery plan is ready…

1 day ago

Using conditions in ARM templates when deploying infrastructure-as-code

This Quick Tip shows you a neat little coding trick that will help you when…

1 day ago

Full circle: On-premises Exchange to Microsoft 365 — and back again

Migration from on-premises Exchange to Microsoft 365 may not be a one-way street. What about…

1 day ago