Jefferson Healthcare hit by 'phishing' cyber attack

Posted

The personal information of roughly 2,550 people was compromised by a "phishing" attack on the email account of an employee at Jefferson Healthcare, the organization announced Monday.

The information stolen may have included the full names of individuals, as well as their dates of birth, phone numbers, home addresses, and health insurance information.

The breech also included access to certain health information, according to Jefferson Healthcare, such as dates of service, and diagnosis and treatment information.

Phishing is an email scam where fraudsters send fake but official-looking emails in an attempt to gain access to someone's sensitive personal and financial data. 

The phishing attack happened Monday, Nov. 9 and was discovered three days later.

Jefferson Healthcare officials said the organization immediately took steps to halt the unauthorized access to the employee’s email account and to prevent further access.

Anyone whose information may have been accessed because of the data breach has been contacted by Jefferson Healthcare, officials said Monday.

Amy Yaley, a spokesperson for Jefferson Healthcare, said a police report on the incident was filed.

The phishing attack was not announced until this week because Jefferson Healthcare just received the results of an investigation into the attack by forensic specialists.

The organization hired two forensic specialist companies to investigate the data breach and determine the nature and size of the attack, as well as what information was stolen.

Investigators went through 30,000 emails and any attachments that were included, Yaley said.

"There was no simple way to do this. It was an email by email by email by email process," she said.

In some cases, the Social Security numbers of people and financial information may have been accessed. 

Jefferson Healthcare said the potential of financial information and Social Security being stolen was limited to 84 cases. 

Yaley said Jefferson Healthcare is offering those people one year of free credit checks and monitoring through Experian to make sure their information is safe.

Officials said relatively few documents were likely reviewed, and the organization's electronic medical record system was not compromised.

The agency's billing systems were also not accessed.

"They weren't able to breach our firewall to get into our medical records and they didn't breach our firewall to get into our financial system," Yaley said.

The organization said it has reinforced training for employees on how to avoid phishing schemes and other cyber attacks, and Jefferson Healthcare is also reviewing its policies and procedures on safeguarding information.

"As the bad actors mature and evolve in their methods we are having to do the same. It's just a continual process," Yaley said.

“Jefferson Healthcare takes individual privacy, and the trust of our community, seriously and has taken immediate steps to enhance our information security systems," said Brandie Manuel, Jefferson Healthcare’s chief patient safety and quality officer. 

"We continue to be vigilant resolving security threats as they are identified and educating our staff members," Manuel said. "We are committed to transparency and sincerely apologize to those who have been impacted by this breach.”