Pawnee County Memorial Hospital (PCMH) in Pawnee City, Nebraska has notified 7,038 patients that a hacker may have accessed some of their protected health information.
The incident was discovered on November 29, 2018, when PCMH learned that their business e-mail system was compromised by a malware virus.
A forensic computer investigator was hired immediately following the discovery of the virus to determine how exactly it got into PCMH’s system. According to the notice issued by PCMH, the hacker was able to infect the organization’s e-mail system by successfully phishing a hospital employee. The employee who caused the breach received an e-mail with what appeared to be a legitimate attachment. The employee opened the attachment, activating the malware and giving the cybercriminal access to PCMH’s e-mail system from November 16, 2018, to November 24, 2018.
The information which was available in the compromised e-mail accounts includes the patient’s full name and one or more of the following: date of birth, date(s) of service, medical record number, clinical information, insurance information, and driver’s license/state ID number. In some instances, patients’ social security numbers were also compromised.
PCMH believes that the attack was not an attempt to obtain patient data but was financially motivated. At this point, it is unclear whether the hacker accessed any of the protected health information in question.
Following the incident, PCMH has arranged for one-year of credit monitoring services for all affected individuals. The hospital has also provided written notice to those involved with steps that can be taken to help prevent medical identity theft or fraud.
The organization has also taken steps to reduce a similar incident from reoccurring. All e-mail account passwords were reset immediately following the incident. The hospital is also evaluating its information security practices and safeguards and implementing appropriate steps to better protect their patients.
This breach is a reminder of how deceiving cybercriminals can be when crafting a phishing message. PCMH regularly uses e-mail to conduct business, so the attachment included in the phishing email did not raise any red flags.
Employees must remain diligent and thoroughly vet every email before deciding to click on any links or open any attachments. Ensuring your employees are well trained on phishing is crucial. Sending simulated phishing emails to your employees regularly will also go a long way in protecting your organization, which in turn, will help protect your patients as well.