Cybersecurity in the Healthcare: Spear Phishing and Data Breaches Amidst Growing Cybercrime

Cybersecurity in the Healthcare: Spear Phishing and Data Breaches Amidst Growing Cybercrime

A hacker sits at his computer and attacks Healthcare companies
Let's look at examples of incidents that have occurred in the Healthcare industry.
  • Incident 1
Saint Agnes Health Care, Inc. in Maryland disclosed that a cyberattack exposed 25,000 HIPAA records. The healthcare company Saint Agnes Health Care, Inc. of Maryland has reported that hackers gained access to an email account through a phishing campaign. Although only one email account was compromised, the user had privileges to access Protected Health Information (PHI), and the account contained records of approximately 25,000 patients of the facility.


  • Incident 2
UnityPoint Health Phishing Attack. In 2017, UnityPoint Health suffered a phishing attack in which attackers gained access to email accounts containing the protected health information of patients. A year later, between March and April 2018, the healthcare organization was targeted again, and this time the data of over 1.4 million patients was compromised. The second attack was conducted to divert payroll and vendor payments.


  • Incident 3
UCSD Medical Center. In 2021, UC San Diego Medical Center fell prey to a phishing scheme that resulted in numerous employee email accounts being compromised. This breach granted the attackers entry to confidential data belonging to patients, students, and staff. Shockingly, the breach remained unnoticed for an extended period, affecting the privacy of 495,949 individuals. The initial breach occurred in December 2020, with detection finally transpiring on March 12, 2021. However, it wasn't until April 8, 2021, that the intruders were successfully expelled from the system.


  • Incident 4
Henry Ford Health Phishing Attack. Henry Ford Health notified 168,000 patients that an unauthorized individual gained access to employee email accounts holding protected health information (PHI) after employees responded to phishing emails. The email accounts held patient information, including names, dates of birth, age, gender, telephone number, medical record number, lab results, procedure type, diagnosis, and date(s) of service.


What Are the Worst Consequences of a Healthcare Company Being Hacked Through Phishing?

1. Compromise of Sensitive Patient Data
- Identity Theft: Stolen personal information such as social security numbers and health insurance details can lead to fraudulent activities.
- Financial Fraud: Attackers may use compromised data to commit financial crimes or obtain unauthorized medical care.

2. Potential for Loss of Life
- Access to Medical Records: Attackers could misuse medical records, potentially leading to harmful consequences if critical information is exploited.

3. Data Theft and Illegal Use
- Obtaining Free Medical Care: Attackers may use stolen information to access medical services fraudulently.
- Blackmail: Victims might be threatened or blackmailed using their stolen personal and medical information.

4. Sale of Stolen Data
- Dark Web Transactions: Stolen data might be sold on the dark web, resulting in significant financial damage to both the healthcare organization and the individuals affected.

5. Reputational Damage
- Loss of Patient Trust: A data breach can erode public confidence in the healthcare provider's ability to safeguard sensitive information.

This list captures the major risks and consequences of a phishing attack on a healthcare organization.

Links to cases of hacking of organizations using phishing in the Healthcare industry

https://www.hipaaguide.net/examples-of-phishing-attacks/

https://www.social-engineer.com/phishing-attacks-targeting-healthcare-organizations-social-engineering-news/

https://www.hipaajournal.com/saint-agnes-healthcare-hack-exposes-25000-hipaa-records-5663/

Links with phishing threats in other industries:

Cybersecurity in Insurance
Cybersecurity in Education