UAB Medical Hit In Phishing Scam – Are You Next?

UAB Medical Hit In Phishing Scam

Another day, another major phishing attack.

UAB Medical is the victim of a successful phishing attack that targeted their payroll information. Hackers breached a number of UAB Medical employee emails that contained the health information of approximately 19,557 patients.

The attack began on August 7th, 2019, with cybercriminals sending emails to employees as if they were from an executive asking them to fill out a survey. This survey required employees to give their username and password, which allowed the cybercriminals to gain access to the UAB medical systems. With this access, they attempted to modify the payroll system to send payments to their own bank accounts.

While this plan was ultimately unsuccessful, in doing so the cybercriminals still accessed medical information for almost 20,000 patients, including patient names, birth date, diagnosis, treatment information, and social security numbers.

“As a result of this attack, UAB Medicine is notifying 19,557 patients their protected health information has been exposed and could potentially have been viewed by the hackers,” stated in a notice from the University of Alabama. “The protected health information varied but may have included the patient’s name with one or more of the following data elements: medical record number, birth date, dates of service, location of service, diagnosis, and treatment information. Social Security numbers were included for a small subset of patients, and those patients have been specifically notified with specific instruction on their course of action.”

Obviously, most of the UAB Medical employees that received the phony survey email didn’t know enough to see it for what it is. The question is – would you? Would your employees?

It all comes down to what you know and the actions you take…

What Is Phishing?

Phishing attacks are typically done via mass emails that request confidential information or credentials under false pretenses, link to malicious websites or include malware as part of an attachment.

The key to phishing’s effectiveness is how unsuspecting the target is. The fact is that businesses aren’t learning to protect themselves, which is why the number of reported phishing attacks has gone up by 65% in the past few years.

The average phishing attack costs a business $1.6 million. The problem with the rising tide of cybercrime incidents is that we are getting desensitized to the whole thing.

Case in point: the Alive Hospice in Nashville has reported that an employee’s email account was accessed by an unauthorized party in May 2019. When the suspicious activity was noted, they launched an investigation, discovering that the hackers had access to the account for two days but as of yet no, but no evidence has been found to suggest any patient information was accessed or stolen. Unfortunately this type of breach is becoming all too common.

What Do All Phishing Emails Have In Common?

Share these tips with your employees to ensure they know how to spot a phishing attempt:

  1. Watch For Overly Generic Content And Greetings: Cybercriminals will send a large batch of emails. Look for examples like “Dear valued customer.”
  2. Examine The Entire From Email Address: The first part of the email address may be legitimate, but the last part might be off by a letter or may include a number in the usual domain (a look alike domain).
  3. Look For Urgency Or Demanding Actions: “You’ve won! Click here to redeem a prize,” or “We have your browser history pay now or we are telling your boss.”
  4. Carefully Check All Links: Mouse over the link and see if the link’s destination matches where the email implies you will be taken.
  5. Notice Misspellings, Incorrect Grammar, & Odd Phrasing: This might be a deliberate attempt to try and bypass email spam and content filters.
  6. Don’t Click On Attachments Right Away: Virus containing attachments might have an intriguing message encouraging you to open them such as “Here is the Schedule I promised.”

At the end of the day, there is no perfect technological solution that will save you from phishing. It all comes down to you (and the other users at your business), and how capable you are at spotting a scam when it comes into your inbox.

Like this article? Check out the following blogs to learn more:

11 Ways You Can Benefit From Assisted IT Services

Managed IT Helps Your Bottom Line: 6 Ways How

5 Ways Managed IT Services Is the Right Choice for Your Business

Contact Info

Stay Connected