Seton Health Breached Through Email Phishing Scam
By Megan Williams, contributing writer
Seton Healthcare Family has announced on its website that it was the victim of an email phishing attack, and that the attack has impacted its patients.
“The privacy and security of patient information is of utmost importance to Seton Family of Hospitals, a division of Seton Healthcare Family (“Seton”), and Seton has implemented significant security measures to protect such information. Regrettably, despite the efforts to safeguard patient information, an email phishing attack has affected Seton's patients.”
The Attack
Seton has traced the attack to a phishing event on December 4, 2014. Agents targeted the user names and passwords of Seton employees. Once it was discovered that an account had been compromised, that account was shut down and an investigation was launched.
The Investigation
Investing the issue required an electronic and manual review of affected emails to determine the scale of the attack. Seton hired computer forensics experts to aid in the investigation and determined on February 26, 2015, that the PHI (protected health information) of almost 40,000 patients had been jeopardized. This included demographic and clinical information, medical record numbers, insurance information, and in some cases, Social Security numbers.
The system also announced that the hackers were not able to gain access to individual medical or billing records.
The Response
Seton is taking action around notification as indicated in their announcement. They added,
“Please be assured that Seton is taking steps to mitigate this incident by notifying affected individuals via letter, posting this substitute notice and providing notice to prominent media outlets in the area. Identity monitoring and protection services are being offered free of charge for those whose Social Security numbers have been affected by the incident. Additionally, Seton is working with its email service provider to evaluate ways to enhance its already robust security program. Seton will also provide additional education to employees regarding e-mail phishing.”
The healthcare system apologized and included contact information for the three credit reporting bureaus for patients interested in obtaining free credit reports.
Other Recent Breaches
The Seton announcement comes right on the heels of the revelation of the November breach of over 3,000 patients’ information via Partners HealthCare. That breach also involved phishing emails and the compromise of sensitive patient information.
Read about the outlook for healthcare breaches in 2015 here.