Phishing at the Nebraska Department of Health

The Nebraska Department of Health and Human Services (HHS) reported a data breach at one of the city of Lincoln’s departments, Aging Partners. Aging Partners provides and advocates for older people within the eight-county area of Lincoln. According to the press release, employees of Aging Partners fell victim to phishing emails, inadvertently exposing participants’ protected health information (PHI). Phishing remains a serious problem in 2021, especially for covered entities tasked with caring for their patients while ensuring HIPAA compliance.

RELATED: 17 shocking phishing statistics you need to read in 2021

For healthcare organizations, employing strong email security (i.e., HIPAA compliant email) along with up-to-date employee awareness training is the safest way to combat phishing emails.

What happened?

On May 25, the City’s Information Services Department discovered that Aging Partners was hacked via a successful email phishing scam. A cyberattacker gained access to employee email accounts between May 18 and May 21. When realized a few days later, IT cut the affected email accounts off from the rest of the system and quickly established new passcodes. City staff performed their own investigation before transferring the evidence to a third-party company to determine the extent of the breach. The accessed email accounts included over 46,000 emails. The investigation established that some of the emails involving 1,513 program participants contained PHI. This includes name, address, date of birth, phone number, Social Security number, date of service, type and amount of service, or other health information (i.e., medical conditions, level of care assessments, and medication). Thankfully, the majority of the emails only included names. Unfortunately, a small number also contained bank accounts or other financial information. Nebraska HHS recently informed the U.S. HHS Office for Civil Rights (OCR) of the breach; it has yet to be added onto OCR’s Breach Portal.

RELATED: What is the HHS’ Wall of Shame?

Nebraska HHS will send details to those affected; anyone who had financial information exposed will also receive professional credit monitoring services.

What is phishing?

Email phishing, also known as email spoofing or email impersonation, involves a malicious attempt to trick victims into giving up personal and/or online account information. This is what happened to Aging Partners employees.

RELATED: Phishing attacks wreak havoc on healthcare providers

Phishing is a major cause of breaches today because it can easily take advantage of tired or unaware staff using  social engineering techniques. Cyberattackers may craft a malicious message to induce panic or quick action. They often capitalize on news events, like the COVID-19 pandemic. Phishing emails can be targeted ( spear phishing) or sent en masse ( spam) and often contain malware that can then spread throughout a system shutting the network down or encrypting/stealing data.

RELATED: What is a phishing kit?

The phishing message and the outcome depend on what the cyberattacker wants. No matter the reason, cybercriminals still send malicious emails today because they target the most vulnerable of any organization: employees.

Training: necessary but not enough

Unfortunately,  human error is unavoidable because employees are easy to compromise. Moreover, email is the most accessible  threat vector (or entry point) into any computer/network.

RELATED:  How to ensure your employees aren’t a threat to HIPAA compliance

This is why continuous and up-to-date cybersecurity training is important. Under the  HIPAA Privacy Rule, healthcare organizations must provide employees with HIPAA compliance training on “privacy policies and procedures, as necessary and appropriate for them to carry out their functions.” Cybersecurity and anti-phishing training increase employees' readiness to face cyberattacks. They can even learn to recognize and block phishing attacks before they cause irreparable damage.

RELATED: What you don’t know about cybersecurity can put your business at risk

Organizations train employees to mitigate risks themselves, but training must always be combined with other cybersecurity methods. A layered approach is necessary for complete HIPAA cybersecurity compliance. And it must include email security.

Paubox Email Suite—remove some of the burden from employees

Stressed and worried employees easily become victims, which is why it is necessary to combine training with strong email security. Paubox Email Suite Plus provides solid inbound email security, which protects against phishing emails and viruses. Moreover, our patented  ExecProtect feature blocks display name spoofing attacks while Zero Trust Email asks for additional proof of legitimacy before delivering an email message. Employees can also send HIPAA compliant emails directly to patients’ inboxes because our patented software seamlessly encrypts all outgoing messages.

RELATED: Better safe than sorry: why email encryption is a must for healthcare

Our HITRUST CSF certified solution requires no change in user behavior. Emails are sent directly from your existing email platform (such as Microsoft 365 or  Google Workspace). Randall Jones, director of Aging Partners, emphasized in the press release that PHI privacy is a top priority of the organization. That they would add additional measures to eliminate access and ensure HIPAA compliance. But rather than release such statements after a breach, secure your network, emails, and PHI before a cyberattack can become a disaster.