Centura Health – the nonprofit umbrella that owns Mercy Regional Medical Center – has sent letters to about 1,000 people in Durango warning that hackers may have gained access to their personal information.
The potentially compromised information includes patients’ name, Social Security number, Medicare beneficiary number, address, date of birth and phone number as well as clinical information, such as a patient’s diagnosis, date of service, the name of a patient’s treating physician and medical-record numbers.
According to a news release circulated by Centura Health, the hackers may have breached patients’ private information through a sophisticated “phishing” email attack that targeted Centura health employees.
As is typical in phishing schemes, the hackers tried to acquire Centura Health employees’ usernames and passwords in February by masquerading as a trustworthy source via email.
According Centura’s release, “a small group of Centura Health employees responded to the emails thinking they were legitimate requests. When Centura learned of this, it was able to immediately stop the attack and began an investigation.”
Asked what guise the attackers posed under, a Centura spokeswoman would not comment.
In phishing attacks, cybercriminals often purport to be trustworthy entities, such as a bank, social-media website or popular business, then trick their victims into downloading attachments or clicking on links that infect victims’ computers with malicious software. Phishing schemes are incredibly difficult for large organizations to thwart because their success relies on human gullibility, rather than technological weakness.
Unlike the notorious Nigerian prince email scam, even savvy Internet users fall for well-executed phishing attacks. Last year, Chinese government hackers used a phishing scheme to gain access to every computer on The New York Times’ network in the months running up to the Times’ exposé about the billions of dollars Wen Jiabao, China’s prime minister, had amassed through business dealings.
According to Centura’s release, Centura hired an external forensics firm to perform a comprehensive review of the affected employees’ email accounts as soon as it learned of the attack.
The review confirmed that the attackers may have gained access to patients’ private information.
According to Centura, “there is no evidence that the information in the emails was ever viewed or used in any way. However, as a precaution, Centura Health began mailing letters to potentially affected patients on April 22.
“Centura Health takes our role of protecting patient information very seriously, and we deeply regret that this has happened,” said Nima Davis, vice president and corporate responsibility officer for Centura Health in the release.
The release says Centura Health took “immediate steps to implement and reinforce necessary protective measures to help prevent similar events. Those steps included immediately stopping the attack, performing an investigation and hiring an outside forensics expert to assist, reinforcing education to all employees regarding ‘phishing’ emails and continuing to implement enhancements for strengthening user login authentication.”
The release says Centura Health also has notified the “appropriate authorities.”