Black River Medical Center reported to the U.S. Department of Health and Human Services Office for Civil Rights recently of a data breach, which is a violation of HIPAA. The company fell victim to a hacking incident involving a company Email. This has led to potentially compromised protected health information (PHI) for 13,433 patients. You can view the list of reports on their website.
It was discovered that one employee fell for a phishing scam, which made their Email and password known to the hacker. This opened an avenue for the hacker to view the protected health information of Black River’s patients. It’s unknown if the hacker took that avenue yet. The potentially compromised information includes names, addresses, phone numbers and some procedural information.
The good news is that the hacker was unable to access any information such as social security numbers or billing information that could place patients into a potentially dire situation. There’s a possibility that the hacker was unable to access any information at all, but the patients can rest assured that their SSN and financial information is protected either way.
How could have Black River Medical Center prevented this and what should their next steps in the process be?
The first step is to ensure that employees are trained to identify what phishing scams look like and what to do should they believe they’ve come across one. It is also important that employees report phishing attacks to a central person who can relay the information and warn the entirety of their staff. People are less likely to fall victim to something they know is coming.
The hospital has already taken some of the correct measurements so far to ensure the protection of their patients. They’ve written letters to each affected individual and have provided a call line should they have any questions. They’ve also reported the information to the HSS OCR, so should any information be found to have been stolen, they can use that in their defense.
One measure, which may be seen as extreme depending on who you ask, is to fire the employee that potentially compromised PHI. Although that probably isn’t necessary; I’m sure that employee has already been scared pretty good by the incident and they’ll know what to look for in the future.
“U.S. Department of Health and Human Services Office for Civil Rights Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.” U.S. Department of Health & Human Services – Office for Civil Rights, ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
“Black River Medical Center Employee Falls for Phishing Scam;…” HOTforSecurity, 21 June 2018, hotforsecurity.bitdefender.com/blog/black-river-medical-center-employee-falls-for-phishing-scam-breach-ensues-20049.html.