A healthcare
provider in Kalispell, Montana has suffered an embarrassing data breach
resulting in the leak of 129,000 health records, exposing patients to identity
theft and fraud.
Kalispell Regional Healthcare learned of the breach in June, but an investigation suggests the phishers started collecting patient records as early as May 24. A notice sent to patients by the healthcare institution, obtained by local news outlet Flathead Beacon, reveals that the phishing attack was targeted and coordinated.
Multiple
employees had unknowingly provided their email login credentials to the
phishers. The scammers were then able to access patients’ personal information,
including name, address, medical record number, date of birth, telephone
number, email address, medical history and treatment information, date of
service, treating and referring physician, medical bill account number and/or
health insurance information. The hospital says as many as 250 patients may
have had their Social Security numbers accessed as well.
Chief
Executive Officer and President Craig Lambrecht said in the letter to patients
that the attack was “highly sophisticated.” Upon learning of the scam, KRH
immediately disabled the employees’ accounts, notified federal law enforcement
and launched an investigation with the help of a reputable, New York-based
digital forensics firm.
The letter
says KRH is offering free credit monitoring services to those affected – as it
should in the wake of such a serious data breach – and tells patients how to
enroll for monitoring.
Cybercrooks targeting hospitals typically aim for one of two scenarios: extort the healthcare unit (i.e. ransomware); or exfiltrate health records to sell on the dark web to fraudsters. The reason why KRH is shouldering the credit monitoring expense is, of course, to protect patients from fraud.
KRH Director
of IT Melanie Swenson said in an Oct. 22 media interview that the unit is very
well equipped to prevent and handle cyber-incidents, conducting annual threat assessments
and compliance audits. Each year the hospital takes steps to bolster its
cybersecurity as cybercriminals become more sophisticated. Nevertheless, by
virtue of basic day-to-day operations and “allowing the employees to do their
job, there’s always a little window of vulnerability,” Swenson said.
Many studies conducted in recent years underscore the need to conduct regular staff training to spot cyber threats. Phishing remains one of the most prevalent attack avenues for cybercriminals everywhere as employees are typically the first line of defense and, at the same time, the weakest link in an organization’s IT infrastructure.