Healthcare data carries a high value on the black market as it can be monetized in a variety of ways. One of the main methods used to gain access to the healthcare networks where patient data are stored is phishing emails. Phishing emails are also a leading vector for malware delivery, and initial access brokers often target healthcare providers with phishing emails to steal credentials, then provide access to healthcare networks to ransomware gangs.
This month, a major phishing attack was reported by Morgantown, WV-based Monongalia Health System (Mon Health) which affected two of its hospitals. Hackers sent phishing emails to Mon Health employees, with the responses to those messages providing the hackers with the credentials they needed to access corporate email accounts. Those email accounts contained the personal and protected health information of patients and employee information. Notification letters have recently been sent to 398,000 individuals affected by the attack.
While healthcare data is valuable, this phishing attack was conducted for another reason, although it is possible healthcare data were stolen by the attackers. This attack was what is commonly referred to as a business email compromise (BEC) attack.
BEC attacks can involve the theft of sensitive data but they are most commonly conducted to trick individuals responsible for making wire transfers into making fraudulent transfers to attacker-controlled accounts or to change payroll details to get direct deposits of salaries paid into the attacker’s account.
BEC attacks often start with a phishing email. Once access is gained to an employee’s account, phishing emails are sent to other employees to compromise more accounts. When the required accounts are compromised, the account owner is impersonated and an email is sent to an individual responsible for wire transfers that requests a change to bank account information on file.
In this attack, the attackers gained access to a contractor’s email account that was used to change payment details. Since the email requesting the payment details change came from a legitimate and trusted email account, the change was made and the attack went undetected. The BEC attack was detected when a payment issue was reported, and it was confirmed that the payment had left Mon Health’s account.
Mon Health is far from the only U.S. healthcare organization to suffer an attack such as this. Also this month, Florida Digestive Health Specialists started notifying 212,000 patients about an email breach that occurred in December 2020. Again, the attack was conducted to try to divert payments to an attacker-controlled account. In this case, the process of checking every email and attachment for sensitive patient data took 11 months.
These attacks risk the loss of funds through fraudulent transfers, but even if patient data are not stolen, the Health Insurance Portability and Accountability Act (HIPAA) requires patients to be notified, and usually, it is necessary to offer complimentary credit monitoring and identity theft protection services to affected patients. Those costs, in addition to the investigation and mitigation measures, can be substantial.
Once an employee email account has been compromised it can be difficult to detect and block an attack, and recovering funds after they have been transferred may not be possible unless the fraudulent wire transfer is detected quickly. The key to blocking these attacks and preventing losses is to prevent the phishing emails from reaching employee inboxes, to provide training to the workforce to help employees identify phishing emails that are delivered, and to implement multifactor authentication on email accounts to make it harder for stolen credentials to be used to access accounts.
SpamTitan Gateway and SpamTitan Cloud are two excellent choices for businesses looking to improve their defenses against phishing attacks. The solutions block more than 99.97% of spam and phishing emails from reaching inboxes, and also include outbound scanning to help identify compromised mailboxes. SpamTitan Plus, a new phishing solution released this month, takes protection to another level. SpamTitan Plus includes all major phishing feeds and has faster and better detection of malicious URLs in emails than any of the current market-leading anti-phishing solutions.
If you want to improve your defenses against phishing and BEC attacks, give the TitanHQ team a call for further information on the SpamTitan suite of products.