Phishing Attacks on Broome County NY and UMassMemorial Community Healthlink Impact 11,000+ Individuals

A phishing attack on Broome County in New York resulted to the the compromise of the protected health information (PHI) of 7,048 individuals.

OOn January 2, 2019, Broome County officials discovered the attack upon noticing the change in an employee’s direct deposit account data. The incident was immediately investigated and it was discovered that many Broome County email accounts were compromised because of employee responses to phishing emails. Additionally, an unauthorized person was able to access the employees’ PeopleSoft accounts.

A hired computer forensics specialist assisted with the investigation to know how the unauthorized person accessed the accont and when it first happened. The investigation findings showed that the first account compromise was on November 20, 2018. Further unauthorized access of the accounts continued until January 2, 2019.

The investigators checked all employee direct deposit data and analyzed all email messages and attachments in the compromised accounts.

Broome County states that the phishing attack affected several county departments, which include the Department of Health. The incident also affected the Willow Point Nursing Home and Rehabilitation & Nursing Center.

The types of data contained in the emails differed from one person to another, but the following information may have been included: names, contact details, dates of birth, Social Security numbers, bank account numbers, other financial details, patient identification numbers, medical record numbers, health insurance data, claims details, and medical and clinical data like diagnoses and treatment details.

Broome County is going to use extra safeguards, such as multi-factor authentication, to defend against future cyberattacks. Employees will also receive additional training.

A phishing attack on UMass Memorial Community Healthlink, which provides behavioral health, addiction, and homeless services all over central Massachusetts, resulted to the access of two employees’ email accounts by an unauthorized person. The Community Healthlink detected the breach on April 18, 2019 and secured the accounts.

According to the breach investigation findings, the accounts were accessed on the same day it was detected, so the hacker was able to access information in the compromised email accounts for a limited period of time only.

There was no evidence that would suggest the viewing or copying of the emails; nevertheless, the following data of 4,598 patients may have been compromised: names, birth dates, client identification numbers, details of diagnosis and treatment, medical insurance data, and Social Security numbers of some people.

To protect against further breaches, UMass Memorial Community Healthlink took the following steps: reset the passwords, strengthened the policies to stop access of the email accounts from external domains, increased automatic alerts, and strengthened defenses against email impersonation attacks. Employees were also given further training.