Spear-phishing campaign to blame for PIH Health security incident

The personally identifiable information of nearly 200,000 current and former patients of a California healthcare network may have been compromised following a phishing campaign that successfully targeted employee accounts.

A potential data breach at PIH Health – operator of 10 hospitals, urgent care centers, and other facilities across southern California – was first uncovered on June 18, 2019.

This prompted the Whittier-based healthcare organization to secure its email system and network, including resetting passwords for potentially affected employee accounts.

The investigation into the breach revealed on October 2 that certain employee email accounts has indeed been accessed without authorization between June 11 and June 18, following a targeted phishing campaign.

On November 12, the healthcare provider said it became clear that the email accounts in question may have contained the personal data of current and former patients.

RELATED A guide to spear-phishing – how to protect against targeted attacks

PIH Health said it started notifying potential victims by letter on January 10, in a security alert issued on the same day.

Some 199,548 individuals may have been impacted by the incident, according to the US Department of Health and Human Services’ healthcare data breach portal.

PIH Health said it was implementing additional security measures to prevent a similar security incident from happening in the future.

The company has also established a toll-free call center to field questions about the incident, and is offering complimentary credit monitoring services to some potential victims.

As of January 10, when the security alert was issued, the healthcare facility said it was “not aware, and the independent forensic investigation did result in the identification of, any evidence that information involved in this incident has been misused.”

The Daily Swig has contacted PIH Health for an update on its investigation.

YOU MIGHT ALSO LIKE US neurological healthcare facility discloses data security incident