Several employees of Wise Health fell victim to phishing attempts in March, which gave hackers their login credentials; a “password spray attack” completes this week’s breach roundup.
Washington-based Wise Health System is notifying 35,899 patients that their data was potentially breached after several employees fell victim to phishing attacks in March.
On March 14, hackers launched a targeted email phishing campaign against the health system. According to officials, a few employees were duped by the malicious emails and, as a result, provided the hacker with their usernames and passwords.
Once the cybercriminals obtained the credentials, they used the information to access the employee kiosk in an attempt to divert direct payroll deposits. Officials stressed they do not believe the attackers were attempting to view patient data, but rather obtain employees’ direct deposits.
- Providers Must Go Beyond Frameworks for Strong Risk Management
- Ransomware Costs on the Rise, Causes Nearly 10 Days of Downtime
- Healthcare Relies on Insufficient Patient Identity Management Tools
However, as patient data was included in the compromised accounts, officials are notifying patients of the security incident. Officials said access to the email accounts could have potentially exposed patient data like medical record numbers, diagnostic and treatment data, and insurance information.
All impacted patients will receive a year of identity theft protection services. The notification did not explain the delayed notification. Under HIPAA, providers are required to report breaches to the Department of Health and Human services on 60 days from discovery.
Since the incident, Wise Health has reviewed and updated its security policies and procedures. Officials said they’ve also worked with forensics computer experts to investigate the incident and reported the breach to law enforcement.
Edgepark Medical Supplies Reports “Password Spray Attack”
RGH Enterprises, doing business as Edgepark Medical Supplies, recently fell victim to a “password spray attack”, which potentially breached the information of 6,572 customers. Edgepark is a home-delivered medical product supplier in the US.
According to officials, Edgepark discovered the shipping address listed in a small number of customers’ Edgepark.com accounts were altered. As a result, the orders from the impacted accounts were being shipped to a different address than what was entered by the customer.
Officials temporarily disabled online access to the user accounts and launched an investigation. They found some accounts had been targeted with a sophisticated cyberattack known as a “password spray attack,” where a hacker repeatedly attempts to guess the users’ credentials, often through an automated process.
As a result, officials said it’s possible the hackers accessed some customer accounts without authorization and potentially viewed or access the customers’ names, dates of birth, addresses, products purchased through Edgepark, and health insurance information.
Social Security numbers, credit card numbers, and other financial data were not compromised.
All customers whose accounts were identified as having experience unusual activity by Edgepark’s security team are being notified. However, officials said customers who detect unusual behavior should contact Edgepark. Officials have or will process refunds to customers who were erroneously charged as a result of the breach.
Law enforcement has been notified, and Edgepark is implementing additional security controls to lessen the likelihood of a repeat event.
Source : healthitsecurity