Hospitals and other health-care providers continue to be at the top of the list for cybercriminals. The attacks have become a “near-universal experience” in U.S. health-care organizations, according to a new study from the Healthcare Information and Management Systems Society. Hackers prize the data because it includes sensitive personal information.
The latest health-care provider to suffer a serious data breach is Kalispell Regional Healthcare, a Montana-based hospital system. According to a recent report from local Montana newspaper The Flathead Beacon, Kalispell Regional Healthcare recently informed its customers in an email that roughly 129,000 patients have been compromised. The data breach occurred over the summer when multiple employees took the bait in a phishing attack.
According to the Kalispell Regional Healthcare email, which was written by chief executive officer and president Craig Lambrecht, the attack allowed hackers to access patient records such as “their name, address, medical record number, date of birth, telephone number, email address, medical history, and treatment information, date of service, treating and referring physician, medical bill account number and/or health insurance information.” To add to the problems of the data breach, it is estimated that roughly 250 patients had their Social Security numbers stolen.
Kalispell Regional Healthcare, in addition to notifying federal authorities of the attack, employed the services of the New York cybersecurity firm Kroll. Following confirmation of the attack, Kalispell Regional Healthcare also states that they locked employee email accounts while scrubbing their network and beginning the preliminary investigation.
The Kalispell Regional Healthcare email also states that “although there is no indication that the information was misused, we are offering you 12 months of credit and identity monitoring services at no charge as an extra precaution.” While this is a good start, it really is a minor Band-Aid on a completely avoidable attack. Phishing attacks aggressively target health-care providers because of the wealth of data that can be gleaned from a database. This data can then be used to execute countless schemes such as identity theft.
Since this is common knowledge, especially considering the thousands of well-documented hacking attempts executed against health-care databases by cybercriminals, it stands to reason that hospitals and other resources should prepare their employees accordingly. The fact that multiple employees fell for this social engineering phishing scam shows that Kalispell Regional Healthcare had not done its due diligence and is now paying the price.
Featured image: Flickr / Blogtrepreneur