Indiana-based Methodist Hospitals is currently notifying 68,039 patients that their protected health information may have been exposed in a data breach. The patient data that was potentially compromised includes the following:
- Names
- Addresses
- Health insurance information
- Group identification numbers
- Social Security numbers
- Financial account numbers
- Payment care information
- Medical record numbers and treatment information
In June, the health systems saw unusual activity in an employee’s email account prompting investigation. Methodist Hospitals determined that two employees fell victim to a phishing attack. Collectively, the unauthorized third-party had access to the email accounts between March 13 and July 8. Methodist Hospitals said there is no evidence that any patient information has been misused.
These latest cyberattacks illustrate how valuable medical information has become. Exposed healthcare data can be damaging to companies as well as to individuals. For this reason, employees are sometimes targeted because of what they can access from a particular organization that can be exploited by hackers. This is why, when measuring the cybersecurity posture of third parties, one needs to consider not only the technical aspect that is usually provided by vulnerability assessment tools, but also the human factor, which contributes to the overall resilience of an enterprise.
Phishing attacks continue to be a leading cause of data breaches, as shown with the recent breach targeting Indiana-based Methodist Hospitals. In fact, spear-phishing plays a role in at least 90 percent of all cyberattacks and is a highly effective tactic leveraged by cybercriminals. Because medical records contain an abundance of personal information, including Social Security numbers, addresses, payment information, and insurance information, they are highly valuable on the dark web, allowing cybercriminals to commit insurance fraud, account takeover and identity theft.
Many organizations invest in employee email security training to prevent these kinds of attacks. However, the pressure to identify fraudulent emails should not solely be on the employees, as modern phishing attacks are extremely hard to identify due to convincing impersonation techniques (used in over 80 percent of all spear phishing messages) and sophisticated social engineering. This incident demonstrates how healthcare organizations and other companies need email security systems that validate and authenticate sender identity before an email reaches an employee inbox.