Yet another healthcare provider, Monongalia Health System, had to notify affected individuals about a recent phishing attack.
RELATED: Why is healthcare a juicy target for cybercrime?
Monongalia Health is based in West Virginia. Cyber attackers breached its email systems along with affiliated Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company.
Phishing and cyberattacks continue to wreak havoc on healthcare providers. This past year alone, 40,099,751 individuals have had their protected health information (PHI) exposed.
Such high numbers show that covered entities are not doing everything they can and must do to protect patients’ information. More needs to be done to comply with HIPAA by employing robust cybersecurity features like HIPAA compliant email.
Monongalia Health first discovered the data breach on July 28, 2021. An employee received an email from a vendor reporting that they did not receive a payment. A preliminary investigation found that threat actors somehow accessed the contractor’s email account. The hackers then sent the email asking for payment through a fraudulent wire transfer.
RELATED: Business email compromise: how to protect yourself
Given this, the health system secured the email account, reset the password, hired a third-party investigator, and notified law enforcement. The third-party investigation concluded in October. It revealed that the cyber attackers obtained access to multiple email accounts between May 10 and August 15. And unfortunately, the email accounts contained personally identifiable information (PII) and PHI such as:
Phishing is a malicious attempt to trick people into giving up personal and online account information. In this instance, the cyber attackers used email phishing to gain access to the contractor’s email account.
According to Monongalia Health, several employees responded to the initial phishing emails. Phishing emails are effective, largely because email is the most accessible threat vector (or entry point) into any system. Moreover, employees remain the weakest link for most organizations’ security programs. This is especially true for healthcare providers this year as they struggle with tired and stressed staff because of the COVID-19 pandemic.
RELATED: Cybersecurity management: How companies are responding to COVID-19 and remote work
HIPAA compliance is necessary for organizations that must block phishing emails and practice good cyber hygiene. For Monongalia Health, improving their cyber hygiene means reviewing existing protocols and implementing multifactor authentication (MFA) for remote access. But they should also consider ensuring that employee awareness training is consistent and up to date along with strong access controls like MFA. And ultimately, the best way to stop your employees from inadvertently sharing information is by utilizing strong email security.
Enabling HIPAA compliant email with strong inbound and outbound email security is crucial to safeguarding PHI.
Paubox Email Suite Plus automatically encrypts all outgoing emails and delivers them directly to an inbox.
RELATED: Why healthcare providers should use HIPAA compliant email
Our HITRUST CSF certified product requires no change in email behavior and works with any existing email platform, such as Microsoft 365 and Google Workspace. And Paubox Email Suite Plus comes with Zero Trust Email, which adds a layer of verification even before an email gets delivered. Our solution protects healthcare organizations from malware, phishing, and display name spoofing, keeping email accounts locked from outsiders.
Monongalia Health thankfully caught the BEC scheme before paying a ransom to the cyber attackers, but unfortunately it still violated HIPAA with the phishing breach. Something that could have been avoided altogether. And that’s why you should be a Paubox Email Suite Plus customer.
With our solution, employees won’t be given the opportunity to fall for phishing. And your organization remains safe and secure from cyber threats so that you can concentrate on what’s important: patient care.