A Health District in the State of Washington has made its second data breach announcement of 2022.
Both data breaches at the Spokane Regional Health District (SRHD) occurred when employees fell victim to phishing attacks.
On January 24, the district confirmed that personal data may have been compromised when an unauthorized individual compromised an employee’s email account on December 21 2021. An internal investigation concluded that while no documents appeared to have been opened, accessed, or downloaded, the attacker may have ‘previewed’ clients’ protected health information (PHI).
The potential disclosure may have affected 1,058 individuals and involved data including names, dates of birth, case numbers, counselor’s names, test results and dates of urinalysis, medication received and date of last dose.
In a written statement issued in January, SRHD deputy administrative officer Lola Phillips said that the district had secured the email account and reinforced “cybersecurity training with staff that contains the use of multi-factor authentication and performing additional testing on the system.”
Despite these efforts, SRHD recently reported a second data breach caused by the opening of a phishing email by a district employee on February 24. This latest breach may have exposed the information of 1,260 individuals from two unidentified departments in the district.
Information which may have been involved in the second breach includes names, dates of birth, phone numbers, medications, medical conditions and test results.
JupiterOne‘s field security director, Jasmine Henry, told Infosecurity Magazine that healthcare is among the most targeted industries because healthcare organizations have a high volume of sensitive data which cyber-criminals can sell for profit.
“Stolen patient records can sell for $250 on the dark web, compared to just $5.40 for payment records,” said Henry. ”In addition, health data is more valuable because it is relatively permanent…an individual can’t easily cancel their health record like a stolen credit card number.”
Lookout‘s senior manager of security solutions, Hank Schless, said protecting data was a tough job for healthcare organizations.
“Detecting and protecting against these phishing campaigns and malicious payloads as they’re being built requires a massive amount of security telemetry,” said Schless.
He advised organizations to “create a solid security posture based on a zero-trust philosophy” by “securing employee mobile endpoints as well as your cloud and private apps.”