A Pittsburgh-based health system has suffered a data breach with protected health information stolen.

Described by the Allegheny Health Network as a “data security incident,” the data was compromised between May 31 and June 1. In a July 29 statement to patients, the health system said the compromise occurred after an employee was sent a malicious phishing email link that led to the employee’s email account being compromised. The threat actor is then said to have obtained access to files relating to about 8,000 patients.

After shutting down the affected email account, AHN ticked off the standard response list for a data compromise. The organization said it implemented preventative and monitoring controls, network blocking and resetting of passwords. A third-party digital forensic firm has been hired and ongoing efforts are underway to implement additional preventive controls to enhance its security posture and email security controls.

AHN noted that it had not discovered any evidence that the data potentially accessed has been used fraudulently. Potentially compromised data includes patient name, date of birth, medical records, address, patient phone number, driver’s license number and email address. In some cases, Social Security numbers and financial account information may have also been compromised.

Affected patients are being offered two years of identity protection and monitoring services through Experian PLC at no cost.

“Email phishing continues to be a top attack vector across all industries, and unfortunately far too often it results in incidents such as this,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “Attackers especially like tricking people into entering their credentials on a fake login site, which they can then use to compromise the email account.”

Kron explained that so much business is done through email, not to mention the ability to reset other account passwords through our email, and cybercriminals know that having unfettered access to an account can lead to a windfall for them.

“To protect against the attacks such as this, educating users on how to spot and report phishing attacks, then allowing them to practice the skills through simulated phishing emails, is a key way to reduce risk,” Kron added. “In addition, while not foolproof, ensuring that accounts have multifactor authentication enabled can significantly improve the security of accounts, especially when credentials are stolen.”

Photo: Allegheny Health Network