Privacy & Security

Hackers breach New York's largest provider with phishing attacks

While only 744 patients were included in this month’s breach, Kaleida Health already notified 2,800 of its patients in July of a separate phishing incident.
By Jessica Davis
August 31, 2017
01:18 PM

Kaleida Health, New York’s largest provider, is once again notifying patients of a phishing incident. This one involves 744 patients.

The organization discovered the incident on June 26, when it found an unauthorized third-party gained access to an employee’s email account. Officials said that after an investigation, the hacker was able to access a “small number of Kaleida Health email accounts.”

Included in those accounts were patient names, medical record number, diagnoses, treatment information and other clinical data. For some patients, it also included Social Security numbers. Officials said the financial information wasn’t included.

[Register Now: Upcoming HIMSS Healthcare Security Forum]

Kaleida is offering free credit monitoring for those impacted by the breach.

Hackers already hit the organization on May 24 and breached the records of 2,789 patients. The breach notifications sent to patients are nearly identical, except no Social Security numbers were breached during the first phishing attack in May.

[Also: The biggest healthcare breaches of 2017 (so far)]

While officials said in both letters that Kaleida is “enhancing security measures” to prevent future breaches, the best way to combat against phishing attacks is staff education.

Despite two attacks this summer, Kaleida is hardly alone as a target. 

Phishing attacks are launched by hackers in massive email campaigns, which are surgically-precise, targeted campaigns for users based on characteristics like job titles, interests or sub-groups.

“Sophisticated actors targeting a healthcare organization, instead of spamming domains, perform consumer sector spear-phishing for users they believe have elevated privileges,” said James Scott, a Senior Fellow at ICIT. “The objective is to get them to click, which will give the hackers access to move laterally across the network to gain better credentials -- such as an administrator.”

“Once inside, the hacker uses persistent ransomware or other types of malware on vulnerable devices,” he continued. “From there, they log in and exfiltrate data.”

While these attacks are easy to detect, Scott said most healthcare organizations don’t have the right cybersecurity tools in places such as layered protection, user analytics or machine learning able to detect abnormalities. 

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Topics: 
Privacy & Security

More regional news

Nurses huddled together look at electronic health records on a tablet.

Epic and Marquette collaborate on EHR training for nursing students

By
Andrea Fox
October 31, 2023
HHS headquarters in Washington

New information blocking rules from HHS could cost noncompliant providers thousands

By
Mike Miliard
October 31, 2023
Physician using multiple EHRs and IT systems

Clinician EHR struggles compromise patient care, study shows

By
Nathan Eddy
October 31, 2023
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

HHS headquarters in Washington
New information blocking rules from HHS could cost noncompliant providers thousands

Most Read

Guardrails, data governance key to solid generative AI outcomes
AHA security leader sees 'AI-fueled cyber arms race'
Multiple data access deals signed in Korea for digital health research
FBI dismantles Qakbot malware targeting hospitals
Boards are grasping cyber threats, but CISOs still feel underprepared
Is your hospital ready for 3-4 weeks of downtime?

Research

White Papers

More Whitepapers

Artificial Intelligence
Analytics
Precision Medicine

Webinars

More Webinars

Analytics
Analytics
Privacy & Security

Video

Elise Kohl-Grant, cochair of the programming committee at the HIMSS New York State Chapter
New York State Chapter of HIMSS focuses on health equity
Dr. Michael Poku, chief clinical officer at Equality Health
Addressing health equity's cost curve
Dr. Michael Pfeffer at Stanford Health Care_Photo: Doctor using tablet by Sean Anthony Eddy/E+/Getty Images
CIO Spotlight: Dr. Michael Pfeffer of Stanford Health Care
Lynn Carroll, COO of HSBlox
Using tech to get to health equity-social determinants of health link

More Stories

A pharmacist doing an inventory using a digital tablet.
There is no escaping making investments in cybersecurity...
group of healthcare workers talking over hospital bed
Modernizing clinical placement to accelerate clinician training and recruitment
A male doctor sits with another man and they are looking at SDOH data on a mobile device.
Tufts Medical Center to pilot nutrition screening in EHR
Lynn Carroll, COO of HSBlox
Using tech to get to health equity-social determinants of health link
Yale New Haven Health
Yale New Haven radiologists boost CT scan reviews with AI
Dubai Health Authority
The current state of Dubai’s healthcare digital transformation journey
Leah Dewey, VP of clinical and consumer engagement operations at Cotiviti.
Payers have a part to play in addressing health disparities
Christie Teigland, vice president of research science and advanced analytics at Inovalon.
Medicare Advantage plans' star ratings to be affected by Health Equity Index