Women’s Health USA impacted by a phishing attack

Women's Health USA disclosed that a phishing attack, which started in Apr. 2018 and then again occurred in August 2018, has targeted their employees. This phishing attack on Women's Health USA has resulted in exposure of patients' PHI (Protected Health Information). Women's Health USA is a business associate based and headquartered in Avon Town of Connecticut, and provides various kinds of practice management services to the healthcare organizations.

An investigation has been launched after discovering suspicious activity within the email accounts of certain employees. The affected employee email accounts were then secured. A leading forensics team from outside was engaged to help in the investigation, as well as for determining the extent and nature of this breach.

The investigation has confirmed that unauthorized individuals have accessed two employees email accounts when those employees replied to the phishing emails, and were tricked by the hackers to disclose the credentials of their email account. The breach of first email account occurred on Apr. 5, 2018, whereas the second email account got breached on Aug. 13, 2018. So, the hackers might were able to access emails as well as attachments contained in those two compromised accounts between Apr. 5, 2018, and Aug. 13, 2018.

A review of emails along with email attachments in those compromised accounts revealed that they contained some PHI. The exposed protected health information varies by each patient, but might include name, birth date, Social Security number, Medicare HICN (Health Insurance Claim Number), policy number of health insurance, diagnosis information, and treatment information.

Department of Health and Human Services' Office for Civil Rights was reported about the phishing attack as well as the data breach. The breach summary shows that 17,531 patients have been affected by this breach.

Women's Health USA officials said that they notified all the affected healthcare provider clients regarding the breach on Mar. 15, 2019, and also started sending the breach notification letters on March 29, 2019, to all the affected patients.

All the employees were provided with additional training so they can identify the phishing emails, and also improve their awareness about other cybersecurity issues. More security measures were also been implemented in order to enhance the email security.

» SPAMfighter News - 4/26/2019