Wise Health has revealed that a phishing attack on their system has compromised the protected health information (PHI) of 36,000 patients.
Wise Health System is a health care system with over 1,900 employees based in Decatur, Texas. The breach occurred on March 14, 2019, when a hacker sent phishing emails to employees of the organization. Several employees were fooled by the spoof emails and responded, allowing the hacker to harvest their login credentials. The hacker then used the credentials to log in to the Employee Kiosk and attempted to redirect over 100 payroll direct deposits.
Wise Health had anti-fraud policies which require a paper check to be printed for two successive payrolls following a change to direct deposit information. The checks were printed in the payroll on April 5, and the unusually high number of checks raised the alarm.
Due to this two-check policy, the hacker’s attempts to redirect the payments was prevented, and no payments were redirected.
Realizing that an unauthorized individual had gained access to their system, Wise Health implemented system-wide password change was immediately performed to lock out the attackers. They also hired two third-party forensic firms to investigate the breach. The breach was also reported to the FBI.
The sole purpose of the attack appears to have been to reroute direct deposits, although the stolen credentials would have allowed access to be gained to employee email accounts. Those accounts contained patients’ names, medical record numbers, diagnostic information, treatment information, and health insurance information.
Wise Health System does not believe the attackers accessed PHI. To date, the organization has not received any reports have to suggest any patient information has been misused. The cybersecurity firms and the FBI both agreed with this conclusion.
“In working with all their field office cybercrime counterparts, they’ve never seen a direct deposit phishing incident like this result in patient information stolen,” said WHS Marketing and Communications Director Shannon Spann. “The forensic firms don’t believe that was the case, but we want our patients to have the absolute most protection.”
Since unauthorized PHI access and data theft could not be ruled out, to ensure patients are protected, notification letters were sent on July 12, 2019, and affected patients have been offered a 12-month complimentary membership to ID Experts MyIDCare service.
Wise Health has hired information security experts to reassess their cybersecurity framework and make their security is ‘as tight as possible’. Employees have been given training on how to spot phishing emails and informed of the correct way to deal with suspicious emails.
The hackers were traced back to Africa. As no money was stolen in the incident, the FBI has stopped investigating the case.