All is well here at Woesnotgone Meadow, where everyone has
above average bandwidth.
At times, the citizens of the Meadow may bet the flu or
another virus. With a certain portion of the population, the flu or pneumonia has
the potential to be very serious. At this point, the resident is transported to
a hospital and becomes a patient. At this point, the patient provides their
personal information, including their name, social security number, and
insurance information. The hospital then becomes responsible for your personal,
confidential data. Generally, this is not an issue and the hospital have your
data secured. At times, however, this is not the case.
Pawnee County Hospital is located in Nebraska. The hospital
conducts business just as most hospitals do. Most of their days on the
administrative side are not all too exciting. Things were about to change for
the administrators. The subject attack was rather passive, yet in this case,
very effective. On November 29, 2018, the hospital discovered the issue. A hospital
staff member has received and opened an email. This happens dozens and dozens
of times a day for most of the hospital’s staff members. In this case, as with
the others, the employee thought (mistakenly) this was from a tested source.
Unfortunately, the staff member opened the attachment and began the infection.
The attacker had access from November 16 through 24. The employee’s email account
contained reports for the business clinic reports, clinical summaries, and
other pertinent internal documents. Post-discover, the hospital did contract
with a third party for the forensic work.
As this is a hospital, the data they have been entrusted with
contains primarily the patient’s confidential data and information (PHI &
PII). The compromise allowed unauthorized access to this. The data the attacker’s
had access to was the patient’s full name and at least one of the following
(address, date of birth, date(s) of service, medical record number, clinical
information, insurance information, and driver’s license/state ID numbers). The
patient’s social security number may also have been involved.
Due to the compromise, the hospital was required to notify
7,038 to 7,175 patients of the issue. This was the direct result of the malware
infecting the system. The compromise created quite an issue for the hospital.
As for the remediation, the hospital did agree to provide for one year of their
credit monitoring service. The IT department also began to update their
systems. All of the staff members were required to reset their email passwords.
There were additional security features involved.
This issue also continues to show the importance of employee
training. With appropriate training perhaps there would be fewer of these types
of issues.
Thanks for visiting Woesnotgone Meadow, where the encryption
is strong, and the O/Ss are always using the latest encryption.
Resources
Dissent. (2019; February 9). Pawnee county memorial hospital
notifies 7,038 patients after employee email account compromised by phishing
attack. Retrieved from https://www.databreaches.net/pawnee-county-data-breaches.net/pawnee-county-memorial-hospital-notifies-7038-patients-after-employee-email-account-compromised-by-phishing-attack/
Garrity, M. (2019, February 11). Nebraska hospital notifies
7,000 patients of phishing attack. Retrieved from https://www.beckershospitalreview.com/cybersecurity/nebraska-hospital-notifies-7-000-patients-of-phishing-attack.html
HIPAA Journal. (2019, February 11). 7,000 patients notified
about pawnee county memorial hospital malware attack. Retrieved from https://www.hipaajournal.com/7000-patients-notified-about-pawnee-county-memorial-hospital-malware-attack/
No comments:
Post a Comment