Spear phishing attack nets PHI of more than 9,000
A Wisconsin provider organization fell for a spear phishing scam, breaching the protected health information (PHI) of more than 9,000 individuals.
The Medical College of Wisconsin, Inc., (MCW) in Milwaukee, Wisconsin, said in its November 15 statement that only a limited number of employee email accounts were affected. However, 9,500 individuals were affected by the breach, according to information on the Office for Civil Right’s breach report portal.
MCW disabled the affected email accounts and changed passwords after the incident was discovered. The organization also hired an independent computer forensic firm to assist in the investigation. Although MCW did not disclose the date the incident was discovered, the investigation, which concluded on September 20, found that email accounts were compromised between July 21 and July 28. The investigation was unable to determine if any PHI was accessed, viewed, downloaded, or otherwise acquired by an unauthorized user.
The email accounts contained PHI including patients’:
- Date of birth
- Date(s) of service
- Diagnosis/condition
- Health insurance information
- Home address
- Medical record numbers
- Name
- Surgical information
- Treatment information
Some patients’ Social Security numbers and bank account information was also saved in the affected email accounts. Credit monitoring and identity theft restoration services are provided to patients whose Social Security numbers may have been compromised.