Phishing incidents in February that may have compromised the data of 3,184 patients, including their names, dates of birth, medical record and account numbers, dates of service and medical information is causing Wyoming Medical Center in Casper, Wyoming to notify the patients of the incident. Luckily, according to the medical center, no financial information or Social Security numbers were included in the information that was accessed for 15 minutes by the hacker, who was able to get access into two organizational accounts and obtain administrative credentials.
The facts of this case are a good learning tool for any industry. An employee of the medical center opened a phishing email and clicked on an attached link on February 22, which provided the hacker access to that employee’s emails, which contained patient information (and could obtain any type of information depending on the employee’s job function). A second employee opened a phishing email three days later, allowing a second unauthorized access to that employee’s emails.
According to the medical center, the IT system was able to detect the compromise as the employees’ compromised accounts sent spam emails to other medical center employees, and they were able to stop the compromise quickly. Nonetheless, the 15 minutes of unauthorized access led to the medical center notifying almost 3200 patients, which shows just how fast a compromise can happen.
Phishing continues to be a huge issue for businesses, and multiple attempts and compromises are not uncommon with sophisticated spear phishing attacks. Continue to be on the lookout for these phishing schemes, and provide your employees with training and tools to combat them.