Dive Brief:
- Presbyterian Healthcare Services is notifying 183,000 patients and health plan members that some of their protected health information has been exposed in a phishing attack on the email accounts of several employees, according to a press release from the New Mexico-based integrated health network.
- Nine-hospital Presbyterian, which discovered the breach on June 6, said the email accounts included names of patients and health plan members, and may also have involved Social Security numbers, birth dates, and clinical and health plan information.
- The phishing attack — which occurred on or around May 9 — is but one security incident disclosed recently. Last week, an attacker accessed databases at Massachusetts General Hospital related to two computer programs used by researchers in the neurology department, exposing personal health information of almost 10,000 patients. The breach occurred between June 10-16, and the hospital discovered it on June 24.
Dive Insight:
Data breaches are an ongoing problem for the healthcare sector, which led all industries in cybersecurity breaches in 2018, or 25% of more than 750 incidents, according a report from BakerHostetler.
Across all industries, phishing attacks were the leading cause of breaches (37%) followed closely by network intrusions (30%), BakerHostetler said. Social Security numbers were the most at-risk type of data, making up 37% of potentially compromised records, while health information made up a third.
As of now, Presbyterian has no evidence indicating hackers are maliciously using the data or had gained access to Presbyterian's EHR or billing systems. The investigation is still ongoing.
"At Presbyterian, we take the responsibility of protecting the privacy of our patients and members very seriously," the system's president and CEO Dale Maxwell said in a statement. "We deeply regret that this event occurred and are committed to taking steps to help prevent this type of incident from happening again."
Healthcare data is particularly valuable to hackers. While credit-card or bank-account numbers can be canceled, limiting the damage, healthcare data can continue to circulate and be used for fraudulent purposes indefinitely.
The situation is only getting worse. In the first half of 2019, nearly 32 million patient records were breached — more than double the number of records breached during all of 2018, according to IT security firm Protenus. Between January and June, 285 breaches were reported.
A big part of that 2019 tally was the hacking incident on American Medical Collection Agency, which works with Quest Diagnostics, LabCorp and other healthcare companies. More than 20 million records were exposed in the attack.
Presbyterian is offering credit monitoring and identity protection services to patients whose Social Security numbers were exposed. It also is adding new security capabilities to its email system and requiring all employees to complete annual training on protecting information.
In the case of Massachusetts General Hospital, the data exposed varied, depending on the specific research study, but may have included demographic and medical information, such as diagnosis, medical history and genetic information. The compromised information did not include Social Security numbers, insurance or financial information, addresses or other contact information.