Last week, I read a breach notification from Wise Health in Texas, and I duly noted it in my monthly worksheet. Not all incidents logged in my worksheet get reported on the blog, but I do include them in my monthly statistical analyses.
Today, however, I see that Wise Health reported the incident to HHS as impacting 35,899 patients.That seems to demand some mention on the blog.
As Wise Health reports, on March 14, an attacker or attackers launched a phishing attack against their system. Several employees fell for the phish and provided their login credentials. As Wise Health explains:
Once these usernames and passwords were obtained, the intruders used the information to access the Employee Kiosk in an attempt to divert payroll direct deposits. Although we do not believe that it was the intent of the phishing emails to obtain patient information, access to the email boxes may have compromised your patient information such as your medical record number, diagnostic and treatment information, and potentially insurance information. Again, we believe the purpose of this campaign was to divert payroll direct deposits rather than to obtain patient information. However, we felt it would be prudent to make you aware of this incident. Wise Health System has not received any reports of patient identity theft since the date of the phishing incident (March 14, 2019 to present).
Wise Health contracted with ID Experts to provide services to those being notified.
You can read Wise Health’s notification template below.
Breach-NotificationDetails-27