Phishing and Medical Records: Not a Great Combination

Over the last few years, there have been many breaches involving hospitals, doctor’s offices, and other institutions securing medical records. These records are generally held in an electronic format, such as with electronic medical records (EMR) and electronic health records (EHR). These definitely have a value on the dark web. These clearly are not simply laying about for anyone to exfiltrate, but are secured at various levels and applications of information and cybersecurity. To not apply security would be negligent and in violation of several laws, including HIPAA. With these records secured, the attackers need to find alternative methods to compromise the systems.

One such incident occurred in 1Q2018. Unity Point Health was compromised between February 1st - 7th and the attackers, as an extension of the compromise, were able to access approximately 16K patient medical records. This was accomplished through a phishing attack being used as the attack vector.

The attackers were able to exfiltrate the patient’s names, date of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, dates of service, and insurance information. The attackers may have also had access to social security numbers and other patient financial information.

This provides for a training opportunity for the medical field on what can happen with a compromise from a simple, yet effective, phishing email.

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.