Presbyterian Healthcare announced that a phishing attack targeting its employees might have led to more than 183,000 patient records being exposed, the organization announced.

WHY IT MATTERS
The health system, which is based in New Mexico and operates nine hospitals statewide, issued a statement on its website confirming the email phishing scam and noting it had secured the affected email accounts.

The statement also said the organization has already begun a "thorough review" of the impacted emails and alerted federal law enforcement agencies, and also detailed the attack, which was initially discovered in June but occurred in May.

The statement explained the anonymous, unauthorized access from an unknown source was gained through a deceptive email to some of Presbyterian's workforce members.

The data accessed during the breach included patient and health plan member names and may have contained dates of birth, Social Security numbers, and some clinical and health plan information.

The organization noted that the breach did not affect its electronic health records or billing systems, and also said it was not aware of any improper use, or attempted use, of patient information.

THE LARGER TREND
The announcement comes less than a week after Massachusetts General Hospital reported a neurology department data breach that exposed protected health information of around 10,000 people.

Cyberattacks, especially those stemming from phishing schemes, continue to plague healthcare organizations, with 37% of all incidents traced to phishing, according to an April report from data privacy and cybersecurity law firm BakerHostetler.

Trojans, spyware and phishing scams all plague the healthcare industry, which leads all sectors in the number of data breaches, according to the company's 2019 Data Security Incident Response Report, which was released in May.

The report noted that while information is at risk from attacks of varying degrees of sophistication, phishing emails most commonly provide an entrance for hackers into healthcare systems, although other security vulnerabilities were identified.

Even as the threat landscape broadens, a series of reports suggests that despite some halting progress with cybersecurity readiness, healthcare is still lacking in many key areas.

ON THE RECORD
"To help prevent this incident from happening again, Presbyterian is taking several steps and implementing additional security measures to further protect our email system," Presbyterian Healthcare's statement noted. "In addition, all workforce members annually must successfully complete mandatory training about the importance and requirement to safeguard all information."

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209