Wise Health System based in Decatur, TX began sending patients a notification about the exposure of some of their protected health information (PHI) due to a phishing attack. The breach potentially affected 35,899 patients.
The attack happened on March 14, 2019. A number of employees got phishing emails and there were those who responded and gave away their account login credentials. The attacker(s) then used the credentials to access the Employee Kiosk and tried to redirect about 100 payroll direct deposit payments.
The policies of Wise Health require the printing of a paper check for two successive payrolls after changing direct deposit information. On April 5, the printed checks in the payroll was unusually big , which triggered the alarm. Because of the two-check policy, the scam was averted and payments were not redirected. The password in the entire system was changed immediately to block the attackers. Two third-party forensic companies were retained to look into the incident. Wise Health also reported the breach to the FBI.
The only reason for the attack seems to be the rerouting of the direct deposits. Nevertheless the stolen credentials can be used to access employee email accounts, which contained the names of patients, diagnostic data, treatment details, medical record numbers and medical insurance details.
Wise Health System believes that the attackers did not access PHI and there was no report received that indicate the misuse of any patient information. Both forensics companies and the FBI have the same findings. All the investigators say that this is the first time they’ve seen a direct deposit attack like this involving attackers that stole patient data. The attackers, which the FBI traced to be be from Africa, are experts in direct deposit fraud. The investigation case is now closed.
Because the possibility of unauthorized PHI access and theft of patient data can’t be ruled out, Wise Health sent notification letters to patients on July 12, 2019. And to ensure they are protected, the affected patients received offers of complimentary membership to ID Experts MyIDCare service (Insurance coverage, Credit monitoring and Identity theft recovery) for 12 months.
Wise Health System is reviewing its security policies and procedures and will be taking steps to reinforce security.