Two healthcare organizations suffered data breaches due to their email service resulting in more than 72,000 records being exposed.
Rutland Regional Medical Center in Vermont reported several employee email accounts have been compromised, while the medical products firm Zoll had data possibly exposed when an email server migration went awry. In both cases the patient information became unsecure late last year.
Rutland caught on to the attack on December 21, 2018, when a large number of spam emails were found coming from a single staff email account. Then on December 31, 2018, the hospital’s IT department determined the account had been hacked and a further investigation conducted with the help of a forensic security firm found nine additional accounts had also been accessed. The accounts were open from November 2, 2018 to February 6, 2019
In all about 72,224 Rutland patients were affected. Information possibly visible to the attacker was information: name, contact information, Social Security number, financial information, date of birth, medical record number, patient identification number, medical and/or clinical information including diagnosis and treatment information, and health insurance information, the hospital said.
Rutland officials said in a statement that no electronic medical record systems or other Rutland Regional internal systems were affected.
Rutland did not indicate if the initial penetration was due to a phishing email, but a recent multi-year study conducted by the Journal of the American Medical Association on the email habits of hospital workers found one in seven is likely to click on a phishing email. Over a seven year period 10 educational phishing campaigns were conducted totaling almost 3 million phishing emails with 14.2 percent being clicked.
The positive take away is the workers did learn from their mistakes and the number of clicks went down as more phishing campaigns were sent.
Zoll reported, in a statement, its issue arose during an email server migration conducted by a third-party vendor resulting in the data being unsecure at some point between November 8, 2018, and December 28, 2018. The company does not believe the information has been used for malicious purposes and the vendor has secured the servers involved.
“Information that may have been exposed includes patient names, addresses, dates of birth, and limited medical information. A small percentage of patients also had Social Security numbers exposed,” Zoll reported.
The number of people affected was not released.