In June 2019, The Methodist Hospitals, Inc. identified unusual activities within employee email accounts. They immediately started an investigation, working with third-party forensic investigators to assess the scope of the issue at hand. On August 7, 2019, the investigation revealed that two employees fell victim to a phishing email that allowed an unauthorized actor access to their email accounts.
One account showed unauthorized access on June 12, and from July 1 to July 8, 2019. The other account displayed unauthorized access from March 13 to June 12, 2019. Though there is no evidence of attempted misuse at this time, The Methodist Hospitals, Inc. could not rule out that sensitive data may have been accessed during these times.
The information that was involved includes, “…name, address, health insurance subscriber, group, and/or plan number, group identification number, Social Security number, driver’s license/state identification number, passport number, financial account number, payment card information, electronic signature, username and password, date of birth, medical record number, CSN number, HAR number, Medicare/Medicaid number, and medical treatment/diagnosis information.”
Key Takeaways and Lessons Learned
Phishing training is important, especially for HR and other employees who may work with outside parties. In fact, continued training and examples of real-life phishing emails may just help unsuspecting victims not fall prey to these attacks. Our own Trevor Collins explains a recent experience he had with a Netflix phishing email.
In addition, combining a multi-factor authentication solution with any able service is highly recommended. When used together, compromised passwords aren’t as big of a concern as they are without that additional approval factor. WatchGuard’s AuthPoint uses push notifications to inform users of login attempts. This action permits or denies access to said service. Stay safe and be vigilant, folks.