Incident Of The Week: UConn Health Phishing Attack Exposes Patient Data

The breach threatens the privacy of 326,000 individuals

Kayla Matthews

Data breaches are increasingly common in today's society, and people don't have to browse the headlines for very long to realize it. One of the reasons why they're becoming more alarming is the sheer amount of data accessible to a cybercriminal who pulls off a successful attack. One infiltration could result in obtaining hundreds of thousands of personal records.

And, some data is more valuable than others. The healthcare industry is a prime target for attacks, and that's primarily because of the wealth of patient and employee information associated with it. Hackers could sell the data on the black market and soon see their illegal actions pay off.

Many cyber security sites keep lists of the most severe breaches that happen throughout the year. Some of them also discuss the incidents that are among the first or last attacks in that period, and then either give predictions about the months ahead or offer a summary of what happened in the recent past.

An incident associated with UConn Health was among the last such issues of 2018 since representatives from the organization became aware of it on December 24.

Details of the Attack From UConn Health

According to a statement on the health system's site, it said that an unauthorized third party got access to some employee email accounts. The information within included things like Social Security numbers, birthdays, names and details about billing specifics or medical appointments.

Beyond that, the statement from the company was extremely vague, likely because the organization was still investigating what happened. It said UConn Health could not confirm whether the third party looked at or took the information in the accounts. Moreover, the health system was not aware of any individuals suffering from fraud or identity theft due to the incident.

Further Information Came to Light

Fortunately, reports published in February 2019 gave more clarity about the extent of the breach. The coverage said the breach affected as many as 326,000 individuals, and that 1,500 of them may have involved Social Security numbers. Also, a representative from UConn Health mentioned that the incident was a phishing attack, but said the organization had not identified the person or group responsible.

How Did the Organization Respond?

Once UConn Health realized what happened, it secured the affected accounts and checked the security for the overall email system. It also contacted law enforcement and hired a forensic science firm to search for the personal information impacted.

On the customer side of things, all people who may have had their data taken got notification letters about the event provided that the organization had valid mailing addresses for them. UConn Health is not the only health brand that had to send such mailings following a breach.

UW Medicine is another organization hit by a recent breach. It learned of a data breach on December 4, 2018. In that case, 974,000 people received letters letting them know what happened.

The correspondence from UConn Health contained information that explained some steps people could take to avoid further issues that might stem from the information compromised here. It offered free identity theft protection for the people who had their Social Security numbers revealed. UConn set up a dedicated toll-free number people could call to ask questions, too.

It also mentioned taking continual preventative steps against future attacks like this.

Avoiding Healthcare Data Breaches

Whether organizations have already gone through data breaches or are trying to prevent them, it's necessary to take a multi-step process. Staff training plays a significant role. For example, people in data entry roles must learn that the information is valuable and needs careful handing that follows data entry procedures at all times.

Since the UConn breach happened due to phishing, health care organizations should take the time to re-educate their staff members about what phishing is and some the warning signs of a suspicious email. Similarly, it's worth reaching out to customers and reminding them that genuine representatives of the organization will never ask for a recipient's password, for example.

See Related: "The Phishing Phenomenon: How To Keep Your Head Above Water"

And, health care facilities may want to invest in cybersecurity solutions that use artificial intelligence (AI). They can detect unusual network activity, plus scan huge databases to find the characteristics of past attacks and adapt to keep them from happening again. In any case, the fact that cybersecurity attacks are so common in health care makes it necessary to periodically audit networks, then find and fix weak points.

Awareness Is Essential

Whenever people provide their data or work with information connected to others, it's crucial for them always to be mindful of their actions. Questioning the legitimacy of all electronic communications doesn't stop all attacks, but it's a good start in improving awareness.

See Related: “Security Advocacy: A Must for Today’s Enterprise