Dec 132017

MRT reports that once again, compromising employee email provides access for attackers:

Midland Memorial Hospital announced Tuesday there was a data security incident involving a limited number of patients’ personal information.


The hospital became aware on Oct. 13 that an unauthorized third party may have obtained access to an employee’s e-mail account on or about Oct. 10.

Read more on MRT.

Dec 082017

Ron Wilshire reports:

Clarion University was notified of an email compromise that occurred because of a criminal phishing scam that compromised two email accounts in the registrar’s office.

The unauthorized individual or individuals had access to the accounts between October 7 and October 10.

“Clarion University is committed to data integrity and privacy protection,” said Communication Manager Tina Horner. “The email compromise potentially exposed Social Security and/or driver’s license numbers belonging to 408 students.

Read more on Explore Clarion.

Dec 082017

Ally Marotti reports:

At least two employees at Sinai Health System had their email accounts compromised in a phishing incident, potentially affecting the information of 11,350 people.

The seven-member hospital system said in a statement Thursday that it cannot confirm whether any patient information in the email accounts was viewed. However, there is a low risk that the information was exposed, the hospital system said.

Chicago-based Sinai, which serves the West and Southwest sides, discovered the phishing attack hours after it occurred Oct. 2 and took immediate action, the statement said.

Read more on Chicago Tribune.

Dec 082017

Oof.  I read something like this notification below from Boise Cascade Company in Utah, and I wonder if the employees had been regularly trained in avoiding phishing attacks, or if it was just the case that the phishing was done so damned well that the employees fell for it despite their training. In this case, the intrusion was part of a scheme to alter or redirect employees’ payroll direct deposit accounts.

The Company’s investigation determined that a phishing scheme got into its email system on or about October 31, 2017. Our information technology team caught the scheme within minutes of the first phishing email, blocked the email, and notified employees not to click on the link in it or similar emails. Unfortunately, approximately 300 employees clicked on the link anyway. The investigation further revealed that company-wide, 23 employees’ direct deposit instructions were changed.

I’d love to see what that phishing email looked like if 300 people fell for it.

Dec 052017

Baptist Health Louisville in Kentucky recently notified 880 patients of a phishing incident. The incident was also reported to the U.S. Department of Health and Human Services.

According to a substitute notice in response to the breach, on October 3, Baptist Health discovered that an employee’s email account credentials were obtained by an unauthorized third-party on October 2, and had been used to generate “phishing” emails to other email accounts.

Baptist Health immediately disabled the email accounts, changed the account passwords, and conducted a thorough investigation that could not rule out that an unauthorized third-party may have viewed the employee’s emails. Baptist Health then conducted a review of the affected employee’s email accounts and confirmed that some of the emails contained patient information, and may have included patients’ names, dates of birth, medical record numbers, treatment and/or clinical information, and in some instances Social Security numbers.

Although Baptist Health states there is currently no reason to believe that patient information has been used improperly, they began mailing letters to affected patients on November 21, 2017, and established a dedicated call center to answer any questions patients may have regarding the incident.

Patients whose Social Security numbers were potentially involved are being offered a one- year complimentary credit monitoring and identity protection service.

In response to the incident, Baptist Health notes that they are reinforcing education with their staff regarding “phishing” emails and they have strengthened the log-in process for remote email access.