In July 2019, this site noted that Wise Health in Texas had notified HHS about a HIPAA breach impacting 35,899 patients. The report concerned a phishing incident in March, 2019 that was discovered in April, 2019.
Last week, Wise Health issued another press release, reproduced below. At first blush, it might sound like a new incident, but it appears to be the same incident, although the provider does not explain why it took so long to identify the additional 31,000 patients who required notification.
DECATUR, Texas, Feb. 13, 2020 /PRNewswire/ — Wise Health System in Decatur, TX, has started sending notifications to patients to inform them that some of their protected health information (PHI) has been exposed as a result of a phishing attack. 66,934 patients have potentially been affected.
The attack occurred on March 14, 2019. Several employees received phishing emails and some responded and disclosed their account credentials. The credentials were then used to gain access to the Employee Kiosk, where the attacker(s) attempted to reroute payroll direct deposits. Attempts were made to redirect approximately 100 direct deposit payments.
Wise Health had policies in place that require a paper check to be printed for two successive payrolls following a change to direct deposit information. The checks were printed in the payroll on April 5, 2019 and the unusually high number of checks raised the alarm, thanks to the two-check policy. A system-wide password change was immediately performed to lock out the attackers and two third-party forensic firms were hired to investigate the breach. The breach was also reported to the FBI.
The sole purpose of the attack appears to have been to reroute direct deposits, although the stolen credentials would have allowed access to be gained to employee email accounts. Those accounts contained patients’ names, medical record numbers, diagnostic information, treatment information, and health insurance information.
Wise Health System does not believe PHI was accessed by the attackers and there have been no confirmed reports that patient information has been misused. Both forensics firms and the FBI share that point of view. The investigators all agreed they have never seen a direct deposit attack such as this where the attackers have stolen patient data. These gangs specialize in direct deposit fraud. The attackers in this case were traced to Africa by the FBI, which has now closed its investigation.
A data audit was completed to determine the scope and nature of the information potentially compromised, which began in June 2019 and was recently completed. Since unauthorized PHI access and data theft could not be ruled out, to ensure patients are protected, notification letters were sent on February 13, 2020, and affected patients have been offered between twelve and twenty four (12-24) months of complimentary membership to ID Experts MyIDCare service, which includes credit monitoring, identity theft recovery, and insurance coverage.
Wise Health System has reviewed its security policies and procedures and has taken numerous steps to reinforce security. Additionally, Wise Health System has established an informational line for potentially impacted individuals to call at (940) 539-3500 or (940) 627-5921 ext. 9088.
SOURCE Wise Health System
While it is probably the case that the attack was targeting employee payroll, how will HHS view the fact that some patients were not notified for 10 months following discovery of an incident?
And once again, how much of this incident could have been reduced if there wasn’t so much PHI in employee email accounts? Was all of it current and necessary or could it have been moved out of the employees’ email accounts already?