Atrium Health announced on its website Friday that it is sending notifications to certain patients and staff who may have been affected by a malicious email sent to some of the health system’s employees on April 29.
The Charlotte, North Carolina-based health system noted that its electronic medical records are separate from its email system and were unaffected by the incident.
WHY IT MATTERS
Part of Advocate Health, the third-largest nonprofit health system in the United States, Atrium recently learned that an unauthorized third party accessed a limited number of employee email accounts through the original phish sent on April 29.
Based on an ongoing investigation, the health system said that it appears the unauthorized party had access to the affected account for one day, until April 30. The health system said that the activity of the unauthorized third party was not focused on medical or health information content in the employee email boxes.
Atrium, which operates in Winston-Salem, North Carolina, Georgia, and Alabama, is mailing notification letters to patients and employees whose personal information could have potentially been exposed in the incident.
Information that may have been accessed in the social engineering attack includes:
- First and/or last name.
- Street address.
- Email address.
- Social Security number.
- Date of birth.
- Medical record number.
- Driver’s license or state-issued identification number.
- Bank or financial account numbers or information.
- Treatment/diagnosis.
- Prescription.
- Health insurance and/or treatment cost information, such as patient identification numbers and health insurance account or policy numbers.
To minimize the risk of similar incidents, Atrium said it is providing additional phishing training and education to its employees and complimentary credit monitoring and identity protection services to those who were involved in the attack.
THE LARGER TREND
The most popular style of attack, phishing emails can open up access to employees’ email accounts, and threat actors can then pivot to attack networks, reimbursement payment systems and more.
Threat actors also target health information technology help desks posing as employees in order to trigger password resets for employees’ accounts. In June, the Federal Bureau of Investigation and the Department of Health and Human Services released an advisory about cyber threat actors using email and telephone calls in attempts to steal healthcare payments.
The FBI and HHS said that, after claiming to be revenue cycle or administrator employees to gain access, they diverted legitimate payments.
“Phishing is the most common way that hackers gain access to healthcare systems to steal sensitive data and health information,” Melanie Fontes Rainer, director of the Office for Civil Rights, said in December when OCR settled its first data breach settlement under HIPAA for a phishing attack.
While “Atrium apologizes after email scam fools workers,” noted a report in The Charlotte Observer, the rise of generative artificial intelligence has only enhanced attacks, improving the quality and quantity of phishing emails.
ON THE RECORD
“Atrium Health is unaware of any attempted or actual misuse of patient or personal information and there is no evidence any personal information was viewed as a result of the phishing attack,” the provider said in a statement.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.