The sensitive medical data of more than 1,200 Washington residents has been exposed after a successful phishing attack against a local public health agency.
Spokane Regional Health District (SRHD) said that “files containing client protected health information” associated with 1,260 individuals and two departments may have been “previewed” by an attacker during the incident on February 24, 2022.
However, “the investigation did not find any documents had been opened, accessed, or downloaded”, said SRHD in a data breach alert issued yesterday (March 24).
SRHD said 1,060 individuals may have had their first and last names, initials, dates of birth, and various medical data compromised. Health-related information exposed included test results, medications and prescription reasons, medical referrals, client notes, and delivery dates for pregnancies, among other data.
The other 200 victims potentially had their first and last names, initials, dates of birth, phone numbers, “shelter locations”, test dates, and notes exposed.
Although neither Social Security numbers nor financial information were involved, “those affected are encouraged to monitor their bank accounts and report any suspicious activity immediately”, while ‘explanation of benefits’ statements should be “monitored for possible ID theft activities”, according to SRHD.
Potential victims have been notified of the breach, added the healthcare provider.
Phishing spike
SRHD said it had “implemented appropriate corrective actions” to prevent further breaches, related to cybersecurity training, use of multi-factor authentication (MFA), and testing related systems.
“Much like the rest of the state of Washington, SRHD has experienced a record-level spike in phishing emails and malware installation attempts,” said Lola Phillips, deputy administrative officer at the SRHD. “In this instance, staff fell prey to a phishing scam which exposed confidential information to data thieves.
“We have a strong commitment to safeguard your personal information, and we are working diligently to reduce the likelihood of future events.”
One of 34 local public health agencies in Washington state, Spokane Regional Health District serves a population of more than 400,000 in Spokane County.
Source: https://portswigger.net/daily-swig/washington-residents-medical-data-exposed-by-phishing-attack-on-spokane-regional-health-district
