Is Ascension Health being targeted by attackers successfully acquiring employee e-mail account logins via phishing? (Update 2: It seems they are. See this post after reading the one below.)
Zach Lozano reports that Seton Family of Hospitals will provide free identity monitoring and protection services for patients who had their personal information leaked in a phishing attack targeting employee emails:
Approximately 39,000 patients received letters about the breach in which hackers accessed protected patient information, including demographic information, medical record numbers, insurance information and Social Security numbers. Seton was notified of the breach on Feb. 26.
Well, that last statement is not quite accurate, as I’ll explain below, but you can read the rest of his report on KXAN.
In looking into this incident, I became suspicious when I noted that Seton is part of Ascension Health. This past week, another Ascension member, St. Vincent Medical Group in Indiana, also reported a phishing attack but they learned of theirs on December 3, not in February. So I started digging more, wondering if Ascension hospitals are being targeted just as we saw both Baylor facilities and Franciscan Health/Catholic Health Initiatives facilities being targeted by phishing attacks. And sure enough, I found a notice on Seton’s site that reports that they actually became aware of the phishing attack on December 4 – the day after St. Vincent’s learned of their breach. Seton’s notification is basically the same as St. Vincent’s notification after adjusting for date of discovery and number affected. Here’s the main part of Seton’s notice:
The privacy and security of patient information is of utmost importance to Seton Family of Hospitals, a division of Seton Healthcare Family (“Seton”), and Seton has implemented significant security measures to protect such information. Regrettably, despite the efforts to safeguard patient information, an email phishing attack has affected Seton’s patients.
Seton experienced an email phishing attack on December 4, 2014, which targeted the user names and passwords of Seton employees. Upon the determination that an email account had been compromised, the user name and password was immediately shut down. Seton launched an investigation into the matter, and the investigation has required electronic and manual review of affected e-mails to determine the scope of the incident. Seton engaged computer forensics experts to assist with the investigation. Through the ongoing investigation of this matter, we determined on February 26, 2015, that the employee e-mail accounts subject to the phishing attempt contained some personal health information for approximately 39,000 patients.
The personal health information in the e-mail accounts included demographic information (i.e., name, address, gender, date of birth, etc.), medical record numbers, insurance information, limited clinical information and, in some cases, Social Security numbers. The hackers did not gain access to individual medical records or billing records.
I wonder whether we’ll learn that other Ascension Health members have been similarly targeted. Ascension Health describes itself as the largest non-profit health system in the U.S., with 131 hospitals. As their site also indicates, Ascension Information Services (“AIS”) was formed as a nonprofit corporation in 2005, and AIS provides information technology infrastructure and software application support services to all member entities of Ascension. But who provides the training to employees how to not fall for phishing attempts?
Updated: DataBreaches.net reached out to Ascension Health to ask them whether there were more than two hospitals that have had recent phishing incidents like those reported by the two hospitals mentioned in this post. DataBreaches.net also asked Ascension Health what it was doing to boost security.
Ascension Health did not respond at all to the first inquiry, so it was re-sent.
This time, they replied. Their reply?
“We’re going to pass. Thanks.”