Phish emails are email fraud with the intention to deceive their receptent for personal gain. Cyber-criminals are using social engineering to make their phish bait more appealing by doing research on their targets. Nine employees fell victim to a phish attack, compromising information of 350,000 patients.
Phishing is a popular tactic among hackers as a method of online identity theft, business compromise, and malware infection. 91% of cyber-attacks begin with a phishing email (PhishMe). Jessica Davis with Health IT Security discloses the Oregon DHS Phishing Attack:
Nine Oregon Department of Human Services employees fell victim to a targeted phishing attack campaign, which compromised the data of 350,000 patients in about 2 million compromised emails.
On January 28, Oregon DHS’ Enterprise Security Office Cyber Security team determined the email accounts were breached, according to officials. A third-party security team was hired to investigate the incident and determine what information was exposed in the cyber-attack.
Officials detemined those spear-phishing emails were sent to DHS employees on January 8. The employees clicked on the link and compromised the accounts, giving the hackers access to the employees’ email information.
The investigation revealed those accounts contained roughly 2 million emails, including the personal and medical data of its patients. The security team was able to stop the hacker’s access, and DHS is currently reviewing the incident and the specific information involved.
The exact number of patients impacted by the event has not yet been finalized. But DHS serves about 1.2 million clients. Once confirmed, the impacted patients will receive a notification.
The unauthorized person had access to client data, including full names, addresses, dates of birth, Social Security numbers, case numbers, and other administration information, according to officials. The investigation did not find evidence that the data was copied from the DHS system.
The breach is similar to the targeted phishing campaign that Minnesota’s Department of Human Services faced over the summer. Several employees fell victim, and officials did not discover the attack until months later. Just 21,000 patients were impacted, however, the hearing that followed highlighted two critical issues facing government agencies and healthcare: a lack of resources and staff to better prevent and detect phishing attacks.
A recent Barracuda report found that hackers are exploiting urgency and personalization in phishing attacks: 70 percent of phishing attacks attempt to establish rapport with victims. To combat this, a JAMA study determined that phishing education and training significantly reduced the likelihood that employees will open a malicious email.
Davis, Jessica. (2019, March 22). 350,000 Patients, 2M Emails Exposed in Oregon DHS Phishing Attack. Health IT Security.