A healthcare employee of Revere Health, the largest healthcare firm in Utah, was targeted in a phishing email attack that exposed some medical records for approximately 12,000 patients, including patients of cardiology practice in St. George.
According to a breach notification sent out by Revere Health on Friday, the employee’s mailbox was exposed for roughly 45 minutes on June 21 and leaked some private details about patients of the Heart of Dixie Cardiology Department in St. George. The phishing attack was rapidly identified by Revere Health IT team, which immediately secured the mailbox to prevent unauthorized access.
After a two-month investigation, Revere Health believes the aim of the attacker was not to secure access to patient data but to use the email account to launch more sophisticated phishing email attacks on other Revere employees. The company found the patients’ data wasn’t being shared online and deemed the breach to be a “low-level risk” to affected patients.
“From our detailed investigation of this incident, we believe that the intent of this attack was to harvest login credentials from individuals in our organization and not to gather patient information Our security logs suggest that the attacker had three objectives: (1) to spread phishing emails, (2) to gather active usernames and passwords and (3) to attempt financial fraud against Revere Health," stated the healthcare company.
The exposed data included medical record numbers, dates of birth, provider names, procedures, and insurance provider names. According to Bob Freeze, the director of marketing and communications for Revere Health, no financial information such as credit card information was exposed by this breach of date. The company has informed the impacted patients about the situation and advised them to remain vigilant.
According to the FBI’s 2020 Internet Crime Report, there were 241,342 victims and over $54 million were lost due to these attacks. In 2020 phishing attacks increased by 99.8% from 2019 when there were 114,702 reported attacks. In 2018 there were only 26,379 phishing attacks.
Freeze says Revere Health has further strengthened its tech security protocols and will now send test-phishing emails to employees to prevent more attacks. If they click on the test emails, they will have to undergo awareness training from the group’s IT department. The company also advised its employees to review all aspects of an email before engaging with it.
According to the Federal Trade Commission (FTC), a phishing email address often looks legitimate, but when clicked, a more sophisticated email address appears. The FTC has recommended several common techniques to avoid phishing attempts including keeping up with software updates on devices, installing security software, using multi-factor identification so it takes more than a password to log in, and backing up data regularly. Alongside, users were advised to not open any links from suspicious email addresses or phone numbers.