This was not a targeted cyber attack. National Cyber Security Centre (NCSC) confirmed via an NHS Digital statement that this attack was part of a larger credential-harvesting scheme targeted at organizations across the United Kingdom.
More information can be found here.
A look at the data
According to official data obtained by think tank Parliament Street and released via a press release, nurses, doctors, and other healthcare staff reported that more than 43,000 malicious emails were sent to NHS since the beginning of the pandemic.
Parliament Street stated that 21,000 of those malicious emails were reported in March alone. These email attacks included spam and phishing attacks.
Malware email campaigns are not new. Cybercriminals have only adjusted their delivery methods of these attacks during the height of COVID-19.
During the weekend of May 30, however, over 100 NHS mailboxes were compromised due to staff engaging with these phishing scams. These compromised mailboxes sent an untold number of malicious emails to outside recipients. However, no protected health information (PHI) was reported to be compromised.
In June, NHS Digital stated that:
We are aware that 113 NHSmail mailboxes were compromised and sent malicious emails to external recipients between Saturday 30 May and Monday 1 June 2020.
There is currently no evidence to suggest that patient records have been accessed. We are working closely with the National Cyber Security Centre, who are investigating a widespread phishing campaign against a broad range of organisations across the UK. This has affected a very small proportion of NHS email accounts.
This attack only represents 0.008% of all accounts in their network, as per NHS Digital.
NHS is continuing to investigate the issue and has taken precautions against further attacks by asking staff members to update their passwords, among other precautions.
NHS Digital stated:
In the past year, there has been a 94% decrease in phishing emails sent to NHSmail accounts due to a range of steps we have taken and in summer 2019 we also implemented a new password approach that follows National Cyber Security Centre guidelines.
The steps include protecting network security, managing user privileges, reporting incidents immediately, and establishing anti-malware defenses across organizations.
Those in the healthcare industry in the US and abroad can never have too robust of a cybersecurity and disaster plan. It is up to healthcare providers and their partners to establish protocols to protect PHI from cybercrime.
If there is a crack in your system, hackers will find a way to exploit it, especially during the COVID-19 global health crisis.
Additional steps should be taken to ensure the protection of patients and their information, such as comprehensive inbound and outbound email security protection. Using a HIPAA compliant email service like Paubox Email Suite Premium can provide peace of mind.
Paubox Email Suite Premium protects you, your staff, and your patients from a wide variety of scam email attacks, like malware or ransomware, by blocking these emails before they even hit your inbox. Additionally, our patented ExecProtect offers protection from display email spoofing emails.
Paubox encrypts all emails sent from a customer’s existing email platform (such as Google Workspace or Microsoft 365). Emails are delivered directly to a patient’s inbox, meaning your patients no longer have to log into or out of an email portal or use a password to read their messages.
Our Premium product also includes email archiving and data loss prevention (DLP), a feature that prevents unauthorized employees from transmitting sensitive information either accidentally or maliciously outside of a corporate network.