Another day, another major phishing attack.
UAB Medical is the victim of a successful phishing attack that targeted their payroll information. Hackers breached a number of UAB Medical employee emails that contained the health information of approximately 19,557 patients.
The attack began on August 7th, 2019, with cybercriminals sending emails to employees as if they were from an executive asking them to fill out a survey. This survey required employees to give their username and password, which allowed the cybercriminals to gain access to the UAB medical systems. With this access, they attempted to modify the payroll system to send payments to their own bank accounts.
While this plan was ultimately unsuccessful, in doing so the cybercriminals still accessed medical information for almost 20,000 patients, including patient names, birth date, diagnosis, treatment information, and social security numbers.
“As a result of this attack, UAB Medicine is notifying 19,557 patients their protected health information has been exposed and could potentially have been viewed by the hackers,” stated in a notice from the University of Alabama. “The protected health information varied but may have included the patient’s name with one or more of the following data elements: medical record number, birth date, dates of service, location of service, diagnosis, and treatment information. Social Security numbers were included for a small subset of patients, and those patients have been specifically notified with specific instruction on their course of action.”
Obviously, most of the UAB Medical employees that received the phony survey email didn’t know enough to see it for what it is. The question is – would you? Would your employees?
It all comes down to what you know and the actions you take…
Phishing attacks are typically done via mass emails that request confidential information or credentials under false pretenses, link to malicious websites or include malware as part of an attachment.
The key to phishing’s effectiveness is how unsuspecting the target is. The fact is that businesses aren’t learning to protect themselves, which is why the number of reported phishing attacks has gone up by 65% in the past few years.
Case in point: the Alive Hospice in Nashville has reported that an employee’s email account was accessed by an unauthorized party in May 2019. When the suspicious activity was noted, they launched an investigation, discovering that the hackers had access to the account for two days but as of yet no, but no evidence has been found to suggest any patient information was accessed or stolen. Unfortunately this type of breach is becoming all too common.
Share these tips with your employees to ensure they know how to spot a phishing attempt:
At the end of the day, there is no perfect technological solution that will save you from phishing. It all comes down to you (and the other users at your business), and how capable you are at spotting a scam when it comes into your inbox.
Like this article? Check out the following blogs to learn more: