On July 13, 2019, Wise Health System (WHS) submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS).
Wise Health System is located in Decatur, and has notified over 35,000 patients that their personal information may have been disclosed in a data security breach.
The hospital sent a press release Friday stating it was investigating a phishing attack, which led to the security incident.
Wise Health System is classified as a Healthcare Provider.
According to their press release:
“What Happened? On March 14, 2019, an email phishing campaign was launched against Wise Health System,” the press release said. “Unfortunately, a few of Wise Health System’s employees provided their user names and passwords in response to this phishing email. The release explains the hackers used the information to access the employee kiosk in an attempt to divert payroll direct deposits. Kimberly Browder, WHS vice president of compliance and privacy officer, told the Messenger Tuesday hackers tried to change approximately 100 payroll direct deposits. The hospital’s payroll system requires a paper check be printed for two payrolls after any changes are made to an employee’s direct deposit. When payroll was sent April 5, an unusual number of checks were required to be printed, a red flag to WHS staff. Browder pointed out not all entities have the two-paycheck safeguard in place, and without that, the money would have been stolen. “We forced a password change immediately, system wide,” Browder said. She also noted all employees were paid. No one missed a paycheck.”
What Information Was Involved? “Although we do not believe that it was the intent of the phishing emails to obtain patient information, access to the email boxes may have compromised patient information such as medical record number, diagnostic and treatment information and potentially, insurance information,” it said in the press release. WHS Marketing and Communications Director Shannon Spann said in some cases only a patient’s name was potentially accessed by the hacker, but even those patients received letters as a precaution. WHS has not received any reports of identity theft between March 14, the date of the phishing incident, and now.”
HHS Wall of Shame
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights.
As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
HIPAA Breach Report
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.