Phishing Attack Jeopardizes the Medical History of 130K

^{Photo/Thumb have been modified. Courtesy of EV_Korobov - stock.adobe.com.}

A phishing attack at Kalispell Regional Healthcare might have affected nearly 130,000 patients’ personal health information, according to several news reports.

Mellody Sharpton, director of communications at Kalispell Regional Healthcare confirmed to Inside Digital Health™ that 129,641 patients are in jeopardy.

Employee neglect continues to remain an issue in healthcare as several employees at the Montana-based medical center fell victim to a well-designed email with a malicious link, Craig Lambrecht, M.D., president and CEO of Kalispell Regional Healthcare said in a notification of data security event letter. Following the link presented in the email, the employees provided their Kalispell Regional Healthcare credentials to cyberattackers.

Despite employees being trained on cybersecurity standards and threats continuously, several employees still clicked the link, Sharpton said.

Kalispell Regional Healthcare notified federal law enforcement after it became aware of the phishing attack over the summer. An investigation ran by a digital forensics firm helped unearth additional information about the cybersecurity attack. On Aug. 28, the medical center found out that some patients’ personal information could have been accessed. Further investigation determined specific patients whose information could have been accessed as early as May 24.

The information obtained by the cyberattackers could include:

• Patient’s name
• Social Security number
• Address
• Medical record number
• Medical history
• Treatment information
• Date of service
• Treating/referring physician
• Medical bill account number/ health insurance information
• Date of birth
• Telephone number
• Email address

There is no indication that the information was misused, Lambrecht claimed in the notification. Still, patients who were potentially impacted by the phishing attack received a letter in the mail.

Patients are being offered complimentary fraud consultation and identity theft restoration services. The affected patients also can get 12 months of web or credit monitoring services at no charge, depending on the information obtained on that specific individual.

The medical center is revising its procedures and continuously works to make its security systems more robust to prevent this from happening again, Sharpton said.

“We are committed to protecting the privacy of our patients and have taken steps to prevent similar events from occurring in the future,” Lambrecht said.

Get the best insights in digital health directly to your inbox.

Related

Ransomware Attack Forces 3 Hospitals to Turn Away Patients

Ransomware Attack Affects 320K, Medical Group Provides No Updates

FDA Warns Providers of Medical Device Cybersecurity Vulnerabilities