Oregon Agency Reports Phishing Attack Affecting 350,000Incident Among Largest Health Data Breaches So Far in 2019
The Oregon Department of Human Services is among the latest entities to reveal a phishing breach impacting the protected health information of hundreds of thousands of individuals.
In a March 21 statement, Oregon's DHS says that a Jan. 8 spear phishing attack, in which nine employees clicked on a link, compromised a total of about 2 million emails containing the PHI of 350,000 individuals. These email addresses were accessible through the nine victim accounts.
The state's DHS and enterprise security office's cybersecurity team confirmed the breach on Jan. 28, the statement notes.
"The unauthorized access to the affected email mailboxes was successfully stopped," DHS says.
The agency says it is in the process of thoroughly reviewing the incident and the information involved. "This investigation includes clarifying the number of impacted records that might contain personal information of clients receiving services from DHS," the statement says.
Client information impacted may include first and last names, addresses, dates of birth, Social Security numbers, case number and other information used to administer DHS programs.
While there is no indication that any personal information was copied from its email system or used inappropriately, the department will be offering identity theft and crediting monitoring services for impacted individuals, DHS says.
As of Monday, the Oregon DHS incident had not yet been posted to the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the website lists major health data breaches impacting 500 or more individuals.
However, once HHS confirms details of the Oregon DHS incident, the incident potentially will be among the five largest health data breaches reported so far in 2019.
Indeed, phishing related incidents are top culprits behind the largest health data breaches reported so far in 2019, according the HIPAA Breach Reporting Tool website.
In February, UConn Health reported to HHS a phishing incident affecting 326,000 individuals.
Also, in January, Centerstone Insurance and Financial Services, which does business as BenefitMall, reported a major hacking incident to HHS involving phishing. That breach affected about 111,600 individuals (see Phishing Attacks Continue to Plague Healthcare.)
So, despite the warnings and training about phishing attacks, why do employees at so many organizations continue to fall for victim to these scams?
"Criminals are very crafty at making phishing emails look real. Also, people are sometimes in a hurry to read [or] respond to email and don't pause to ask themselves if an email is legitimate," notes Keith Fricke, principal consultant at tw-Security.
As phishing scams become more sophisticated, organizations need to stay vigilant to defend against such attacks, experts note.
"The one thing I think can help is for organizations to make full use of simulated phishing tools," says Kate Borten, president of privacy and security consulting firm The Marblehead Group. "We should be phishing our own employees regularly, and using the results as teaching moments."
Fricke offers a similar perspective. "Some organizations do not conduct internal phishing campaigns to test their workforce and require follow up training for those failing the exercise. The lack of training and awareness is a contributing factor."
Technology tools, of course, are also critical in the ongoing, and escalating battle against phishing attacks, Fricke adds.
"Technologies that filter spam and some phishing are a good and necessary start. Implementing two-factor authentication into email is important, as it reduces the opportunity for criminals to compromise a legitimate email account and use it to make recipients believe that fake emails are coming from an email account they are familiar with," he says.