Does your urgent care staff know how to recognize a phishing attack? The staff at the Medical College of Wisconsin (MCW) didn’t, and they experienced a PHI breach that potentially affected 9,500 individuals.
According to a notice issued by MCW, the medical college fell victim to a spear phishing attack to their email system. As a result, an unauthorized third party accessed a “limited number” of employee email accounts that contained either one or more of the following: patients’ names, home addresses, dates of birth, medical record numbers, health insurance information, date(s) of service, surgical information, diagnosis/condition, and/or treatment information. Social Security numbers and bank account information for a very small number of patients were also contained within the affected email accounts. It’s unclear whether any of this information was actually “accessed, viewed, downloaded or otherwise acquired by the unauthorized user.”
The cost of a PHI breach, whether from a phishing attack or other source, must be calculated not just in terms of monetary liability, but also potential reputational damage. For many urgent care centers, the latter can turn out to be much costlier than the former.
The formula for determining the monetary liability of a PHI breach can be complicated, and the calculation of a fine is an art, not a science. The Department of Health and Human Services (HHS) levies a fine based on a four-tiered violation category scale which starts at “Unknowing” and ends with “Willful Neglect – Not Corrected.” This means fines for a PHI breach can range from $0 to $50,000 per patient affected depending on the level of culpability that HHS assigns to the business practices which lead to the breach. They may also take other factors into consideration, including your center’s history of data breaches and the effectiveness of your compliance program.
What centers often don’t realize is that whenever more than 500 residents of a state or jurisdiction are affected by a PHI breach, the covered entity must not only report to the government but must also inform local media. This means there is a high likelihood that your urgent care center will be on the local news and featured in the regional newspaper. The reputational damage this can cause cannot be underestimated. Some urgent cares are able to write a check for the possible fines that HHS imposes, but it’s much more difficult to remediate the damage to a center’s reputation in the local community.
So what exactly caused MCW’s PHI breach? Phishing is when a criminal uses electronic communications to pretend to be a trusted source or entity to get sensitive information, such as usernames, passwords, or credit card numbers. They create messages that look like they have been sent from a legitimate source, whether a friend, a retailer or your bank, so you don’t think twice about clicking on a link or opening an attachment. But that link or attachment is what catches you – hook, line and sinker.
The word “phishing” is a homophone of “fishing” because the electronic communication is bait used to trap victims into giving up their information. Which leads us to spear fishing, er, phishing, a more targeted form of phishing. Standard phishing attacks are sent out at random to millions of people across the internet, while spear phishing attacks are targeted to select individuals. Spear phishing requires research so the sender can create customized messages that are highly relevant to their targets. This makes it much more likely the recipients will fall victim to the attack. If your urgent care center receives a spear phishing attack like MCW did, the communication will be much harder to identify as malicious, which is why it’s so important for your staff to know how to recognize phishing attacks.
There are telltale signs that a communication is a phishing attack, so a strong attention to detail can save your urgent care a lot of trouble. These are some of the most common indicators a communication is a phishing attack:
Remember, just because a message looks like it comes from a friend or family member doesn’t mean it’s safe. The best way to protect your urgent care center is to host regular trainings with your staff to remind them of best practices in internet safety.