PORT TOWNSEND — Some 2,550 people may have had personal information taken during a phishing attack on a Jefferson Healthcare hospital employee’s email account, according to a hospital spokesperson.
All have been notified.
The attack, which occurred on Nov. 12, did not get into any systems outside the email account, said Amy Yaley, Jefferson Healthcare marketing and communications director, in an email released late Monday.
“At this time, Jefferson Healthcare has a reasonable basis to believe that there has not been any improper access to its electronic medical record system, billing systems, or other systems outside of the affected email account, or that the incident has affected or will affect any patient care,” Yaley’s email said.
Most information was not especially sensitive, but in 84 cases, Social Security numbers or financial information may have been disclosed, she said Tuesday.
Jefferson Healthcare has arranged for those people to enroll in a credit monitoring service through Experian at no cost to the individuals, she added.
The employee whose email account had been attacked responded to what appeared to be a DocuSign document. Then she noticed emails were sent from her address to other people in her address books, Yaley said.
Jefferson Healthcare quickly contacted those 658 people to tell them not to open the document, Yaley said.
At same time, the hospital’s IT crew checked to see if the phishers had penetrated the firewall.
“They did not breach the firewall,” Yaley said, adding that the phishers did not get to financial records.
The computer was taken offline as soon as the breach was discovered. The phishers were in the system for about three days, Yaley said.
The hospital hired two forensic specialist companies to determine the nature and extent of the unauthorized access and email breach and to determine if personal information was involved, Yaley said.
The investigators combed through 30,000 .pdf documents and attachments to find everyone who might have been affected. They finished their work in the week between Christmas and New Year’s, Yaley said, and those who were found were sent notice on Monday.
“Based on Jefferson Healthcare’s security practices and investigation of the incident, it is reasonably believed that relatively few documents were likely viewed by the unauthorized parties during their brief access to the affected email account,” she added.
“However, the investigation could not definitively conclude that the unauthorized parties did not access certain information and documents stored in the affected email account.”
Other potentially exposed information included an individual’s full name, date of birth, phone number, home address, health insurance information, certain health information such as dates of service, and diagnosis and treatment information.
Yasley also said Jefferson Healthcare has taken preventative measures such as adding anti-fraud technology safeguards and other cybersecurity risk prevention measures; reinforcing education and training for its staff members on how to avoid email phishing schemes and how to properly secure login credentials; and reviewing its policies and procedures to ensure they sufficiently protect against more such incidents.
“Jefferson Healthcare takes individual privacy, and the trust of our community, seriously and has taken immediate steps to enhance our information security systems,” said Brandie Manuel, chief patient safety and quality officer.
It is not known who beached the computer.
“These things (phishing emails) look good. They are very sophisticated,” Yaley said. “All of us are going to have to continue to be more and more aware of what’s out there.
“They are after any information they can get.”
Executive Editor Leah Leach can be reached at 360-417-3530 or at [email protected].