Metro Infectious Disease Consultants falls victim to an email breach

Metro Infectious Disease Consultants (MIDC) has fallen victim to an email breach. MIDC consists of over 100 infectious disease physicians with locations in Illinois, Alabama, Arizona, Georgia, Michigan, Missouri, and Kansas. Unfortunately, there has been an uptick in email breaches recently, resulting in the exposure of personally identifiable information (PII) and protected health information (PHI).

For covered entities and their business associates, employing strong email security (i.e., HIPAA compliant email) along with other cybersecurity methods is the safest way to combat email breaches.

What happened?

According to MIDC’s incident notice, the breach occurred on June 24 when an unauthorized third party gained access to employee email accounts. More than likely the hackers gained access via a successful email phishing attack.

Upon learning of the incident, MIDC secured the compromised email accounts to prevent further exposure. The organization also hired a third-party forensic firm to investigate the security of its email and computer systems. While MIDC does not believe the threat actor viewed or acquired PHI, the stolen emails did contain names, addresses, dates of birth, Social Security numbers (SSNs), driver’s license numbers, account numbers, insurance information, prescription information, and limited clinical information.

According to OCR’s Breach portal, the hacking/IT incident affected 171,740 individuals. MIDC has notified all affected individuals and arranged for complimentary credit monitoring for those whose SSNs and/or driver’s license numbers were impacted.

Email breaches

Email is the most accessible threat vector (or entry point) into any computer/network. Phishing, also known as email spoofing or email impersonation, involves a malicious attempt to trick victims into giving up personal and/or online account information.

RELATED:  Phishing attacks wreak havoc on healthcare providers

Phishing is a major cause of breaches today because of how easy it is to use social engineering techniques to trick a victim. Such malicious emails can be targeted ( spear phishing) or sent en masse ( spam) and often contain malware that spreads throughout a system shutting a network down or encrypting/stealing data. The outcome depends on what the cyber attacker was after, including sabotage, information, or a ransom.

Healthcare data breaches

CISA (the U.S. Cybersecurity & Infrastructure Security Agency) recently put out a fact sheet on preventing ransomware attacks in part because of recent high-profile attacks on healthcare organizations. Moreover, a new report has revealed that smaller, outpatient facilities (like MIDC) and business associate attacks are increasing. Healthcare, and these two groups in particular, is a prime target for email breaches for two main reasons: the general lax state of cybersecurity and overworked staff.

RELATED:  What you don’t know about cybersecurity can put your business at risk

Unfortunately,  human error is unavoidable because tired or unaware employees are easy to compromise and not likely to be up-to-date on cyber risks. On the other hand, healthcare providers can (and should) fix cybersecurity issues.

Prevent cyber mistakes

• Up-to-date and consistent policies and procedures
• Continuous employee awareness training
• Strong technical and physical access controls
• Offline backups
• Patched and updated systems and devices

And according to CISA’s fact sheet, risk management and breach plans, network segmentation, and encryption as well. Moreover, no cybersecurity program is complete without solid email security.

Paubox Email Suite Plus is  HITRUST CSF certified security software that protects email from inbound and outbound threats. All outbound emails are encrypted directly from your existing email platform (such as Microsoft 365 and  Google Workspace), requiring no change in email behavior. No extra logins, passwords, or portals for your or your email recipients.

Our solution also reviews incoming emails for potential threats and quarantines anything that raises a red flag. Paubox’s patent-pending  Zero Trust Email feature applies the Zero Trust security framework to email, requiring additional proof of legitimacy before delivering any message. With the right tools in place, all healthcare providers can safeguard themselves, their employees, and their patients' PHI.