Metro Infectious Disease Consultants (MIDC) has fallen victim to an email breach. MIDC consists of over 100 infectious disease physicians with locations in Illinois, Alabama, Arizona, Georgia, Michigan, Missouri, and Kansas.
According to MIDC’s incident notice, the breach occurred on June 24 when an unauthorized third party gained access to employee email accounts. More than likely the hackers gained access via a successful email phishing attack.
Upon learning of the incident, MIDC secured the compromised email accounts to prevent further exposure. The organization also hired a third-party forensic firm to investigate the security of its email and computer systems.
While MIDC does not believe the threat actor viewed or acquired PHI, the stolen emails did contain names, addresses, dates of birth, Social Security numbers (SSNs), driver’s license numbers, account numbers, insurance information, prescription information, and limited clinical information.
According to OCR’s Breach portal, the hacking/IT incident affected 171,740 individuals. MIDC has notified all affected individuals and arranged for complimentary credit monitoring for those whose SSNs and/or driver’s license numbers were impacted.
Email is the most accessible threat vector (or entry point) into any computer/network. Phishing, also known as email spoofing or email impersonation, involves a malicious attempt to trick victims into giving up personal and/or online account information.
Phishing is a major cause of breaches today because of how easy it is to use social engineering techniques to trick a victim.
The outcome depends on what the cyber attacker was after, including sabotage, information, or a ransom.
Healthcare data breaches
CISA (the U.S. Cybersecurity & Infrastructure Security Agency) recently put out a fact sheet on preventing ransomware attacks in part because of recent high-profile attacks on healthcare organizations.
Moreover, a new report has revealed that smaller, outpatient facilities (like MIDC) and business associate attacks are increasing. Healthcare, and these two groups in particular, is a prime target for email breaches for two main reasons: the general lax state of cybersecurity and overworked staff.
Unfortunately, human error is unavoidable because tired or unaware employees are easy to compromise and not likely to be up-to-date on cyber risks. On the other hand, healthcare providers can (and should) fix cybersecurity issues.
Prevent cyber mistakes
Cybersecurity is something that healthcare organizations of all sizes can strengthen by using a layered approach that includes:
- Up-to-date and consistent policies and procedures
- Continuous employee awareness training
- Strong technical and physical access controls
- Offline backups
- Patched and updated systems and devices
And according to CISA’s fact sheet, risk management and breach plans, network segmentation, and encryption as well.
Moreover, no cybersecurity program is complete without solid email security.
Paubox Email Suite Plus is HITRUST CSF certified security software that protects email from inbound and outbound threats. All outbound emails are encrypted directly from your existing email platform (such as Microsoft 365 and Google Workspace), requiring no change in email behavior. No extra logins, passwords, or portals for your or your email recipients.
Our solution also reviews incoming emails for potential threats and quarantines anything that raises a red flag. Paubox’s patent-pending Zero Trust Email feature applies the Zero Trust security framework to email, requiring additional proof of legitimacy before delivering any message.
With the right tools in place, all healthcare providers can safeguard themselves, their employees, and their patients’ PHI.