Presbyterian Healthcare reports phishing scam exposed 183K patients' data

Security lock on computer data
Phishing scams are an ongoing cyber threat to healthcare organizations. (Getty/gintas77)

New Mexico-based Presbyterian Healthcare Services notified 183,000 patients and health plan members their protected health information may have been exposed during a phishing attack targeting the email accounts of some employees.

The health system, which operates nine hospitals throughout New Mexico, said the monthlong phishing attack was discovered June 6. The unauthorized user gained access to email accounts that included names of patients and health plan members and may also have contained dates of birth, Social Security numbers and clinical and/or health plan information.

"Once Presbyterian became aware of this incident, it secured these email accounts, began a thorough review of the impacted emails and alerted federal law enforcement," the health system said in a statement on its website.

White Paper

How to Grow Membership with Comprehensive Sales Technologies

To win, healthcare payers need a breakthrough shopping experience alongside a comprehensive view of the sales pipeline. In this industry white paper, payers can learn how to accelerate acquisitions and engage shoppers with truly integrated, comprehensive sales technologies.

The breach did not affect the health system's electronic health records (EHRs) or billing systems, Presbyterian Healthcare said.

RELATED: Survey finds alarming number of healthcare workers have not had cybersecurity training

The health system reported on the U.S. Department of Health and Human Services' (HHS') breach portal that the breach impacted 183,370 individuals. 

The exposure of close to 200,000 patients' data highlights the ongoing threat of phishing scams targeting healthcare employees. Just in the past month, there have been eight data breach incidents reported to the HHS breach portal that cite email hacking as the reason for the breach.

A recent study published in JAMA Network Open found that hospital employees are vulnerable to phishing emails, as 1 in 7 simulated phishing emails sent were clicked on by hospital employees. Click rates in phishing simulations at hospitals indicate a major cybersecurity risk, according to the study, with a median click rate of 16.7%.

Despite these risks, a survey from Kaspersky found nearly a third of healthcare employees (32%) have never received cybersecurity training from their workplace.

Presbyterian said it is taking steps and implementing additional security measures to further protect its email system. Health system staff must complete mandatory annual training about the importance and requirement to safeguard all information, Presbyterian said.

Workforce members also receive reminders about safeguarding information stored electronically and how to avoid phishing scams.

RELATED: Majority of healthcare breaches come from inside the organizations: report

The incident at Presbyterian is one of several major data breaches reported this week. Last week, Massachusetts General Hospital reported that nearly 10,000 patients involved in research studies were impacted by a third-party privacy breach that may have exposed their medical diagnoses, test results, and genetic information.

Reno, Nevada-based Renown Health reported a lost, unencrypted thumb drive that contained the protected health information on 27,004 patients, according to HIPAA Journal.

Gray Harbor Community Hospital in Washington was hit with a ransomware attack in June that impacted its EHR, the hospital said in a statement posted to its website Aug. 14. The hospital said there is no indication that any data was exposed or accessed by unauthorized individuals. Working with network and forensics consultants, the hospital has recovered much of the patient healthcare information, but certain parts of the electronic medical record remain encrypted and inaccessible by Gray Harbor Community Hospital and Harbor Medical Group, the organization said.

The attackers demanded a ransom be paid in bitcoin that would be valued at more than $1 million at this point, according to reporting from The Daily World. The hospital did not pay the ransom.