The data breach incident occurred in July, when “a DCBS employee responded to a “phishing” e-mail sent by a hacker. Unauthorized activity on the account was identified within a half hour and the account was immediately disabled. While there is no evidence that the confidential contents of the e-mail account were accessed or viewed, the hacker did have access to the e-mail account for a brief period. Data about the individuals being notified was included in the National Youth Transition Database monitoring those in the process of or who have recently aged out of the foster care system.”
Under HIPAA Security Rule, CHFS is required to report a potential data breach affecting 500 individuals and notify the affected individuals. This incident highlights the importance of employee training in secure email usage. Phishing is a way of attempting to acquire confidential information such as usernames, passwords from unsuspecting individuals, usually via emails or text messages, by posing as a trustworthy source.
Phishing Messages(email/text ) may look like these:
"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
Using techniques like these, hackers can gain unauthorized access to IT systems and confidential patient data. Unintentional electronic protected health information (ePHI) exposure by employees can be avoided by training employees in acceptable and safe usage of computer systems. Employees need to be made aware of the potential data breach risks while using email or surfing the internet.
The following simple email usage policies when implemented correctly can reduce the risk of ePHI breach:
- Emails containing ePHI have to be encrypted when stored on the computer/server.
- Emails containing ePHI have to be encrypted during transmission.
- Periodically train employees to recognize phishing scams and other hoaxes designed to steal their identity. Recommended ways to deal with phishing scams include:
- Delete email and text messages that ask you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). Legitimate companies don't ask for this information via email or text. The messages may appear to be from organizations you do business with – banks, for example. They might threaten to close your account or take other action if you don’t respond.
- Don’t reply, and don’t click on links or call phone numbers provided in the message, either. These messages direct you to spoof sites – sites that look real but whose purpose is to steal your information so a scammer can run up bills or commit crimes in your name.
- Area codes can mislead, too. Some scammers ask you to call a phone number to update your account or access a "refund." But a local area code doesn’t guarantee that the caller is local.
- If you’re concerned about your account or need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card.
- Be cautious about opening attachments and downloading files from emails, regardless of who sent them. These files can contain viruses or other malware that can weaken your computer's security.
Keeping your patient data safe requires a multi-pronged approach that not only includes secure technology, but also places emphasis on appropriate policies, procedure and on-going employee training in the proper usage of the computer systems.
Additional resources: You can also look up this Microsoft site for additional information on phishing and ways to prevent it.