Medications and test results among data potentially ‘previewed’ by attacker

Washington residents' medical data exposed by phishing attack on Spokane Regional Health District

UPDATED The sensitive medical data of more than 1,200 Washington residents has been exposed after a successful phishing attack against a local public health agency.

Spokane Regional Health District (SRHD) said that “files containing client protected health information” associated with 1,260 individuals and two departments may have been “previewed” by an attacker during the incident on February 24, 2022.

However, “the investigation did not find any documents had been opened, accessed, or downloaded”, said SRHD in a data breach alert issued yesterday (March 24).

Catch up on the latest healthcare breaches and security news

SRHD said 1,060 individuals may have had their first and last names, initials, dates of birth, and various medical data compromised. Health-related information exposed included test results, medications and prescription reasons, medical referrals, client notes, and delivery dates for pregnancies, among other data.

The other 200 victims potentially had their first and last names, initials, dates of birth, phone numbers, “shelter locations”, test dates, and notes exposed.

Although neither Social Security numbers nor financial information were involved, “those affected are encouraged to monitor their bank accounts and report any suspicious activity immediately”, while ‘explanation of benefits’ statements should be “monitored for possible ID theft activities”, according to SRHD.

Potential victims have been notified of the breach, added the healthcare provider.

Phishing spike

SRHD said it had “implemented appropriate corrective actions” to prevent further breaches, related to cybersecurity training, use of multi-factor authentication (MFA), and testing related systems.

“Much like the rest of the state of Washington, SRHD has experienced a record-level spike in phishing emails and malware installation attempts,” said Lola Phillips, deputy administrative officer at the SRHD. “In this instance, staff fell prey to a phishing scam which exposed confidential information to data thieves.

“We have a strong commitment to safeguard your personal information, and we are working diligently to reduce the likelihood of future events.”

In response to an invitation to comment further, SRHD told The Daily Swig:

“Since our staff are our first line of defense, we are focusing on giving them the tools they need to recognize and thwart future attempts. We are beginning the roll-out of Drip7, a required four-part cybersecurity training for employees that focuses on recognizing social engineering, phishing specifically, password creation and protecting privacy. The program includes regular communication with staff throughout the year on cybersecurity topics and several test phishing attempts throughout the year.

“Keeping up with the increasing data breaches that are taking place throughout our state, especially against health care organizations, has been challenging. But we will meet that challenge with increased employee education and continued monitoring and system updates to better capture fraud attempts before they hit in-boxes.”

One of 34 local public health agencies in Washington state, Spokane Regional Health District serves a population of more than 400,000 in Spokane County.

This article was updated on March 28 with additional comment from SRHD.

DON’T FORGET TO READ Okta investigates LAPSUS$ gang’s compromise claims