A phishing attack on Ohio-based Aultman Health Foundation potentially breached the data of 42,600 patients of its AultWorks occupational medicine division, hospital and 25 physician practices for more than a month.

After discovering the breach on March 28, officials lead an investigation that found hackers gained access to several email accounts in mid-February, which continued through late March. While the email accounts weren’t on the computers that store EHR data, the breached emails included some patient information.

Upon discovering the unauthorized access Aultman reset account passwords and increased the password length and complexity. Officials said they also added new security features to email accounts and improved its security monitoring procedures. Employees also are receiving further security education.

“We are making it a top priority for our organization and are assigning resources and staff to this issue to help those patients affected by this incident,” Tim Regula, Aultman Health Foundation vice president of compliance and audit, said in a statement.

Included in the compromised data were demographic data of patients, physical exam information, medical histories and test results. For some patients, officials said that driver’s license numbers and Social Security numbers were breached.

Officials also said that patient data could also be at risk if it was contained in emails shared by employers with AultWorks occupational medicine division.

Patients who had their Social Security numbers or driver’s license information breached are being offered a year of free identity protection, officials said.

Phishing attacks have pummeled the healthcare sector for at least two years and continue to be one of the most common attack methods. Onco360 and CareMed were breached this year, impacting more than 50,000 patients, along with dozens of others.

One of the biggest issues is that some of the same legal phishing methods used by hospitals as an offensive method to find flaws in a hospital’s network can be found on the dark web to gain access into a victim’s network.

When used by hackers, phishing-as-a-service leverages customer service and metrics to help the hacker find the right target. And just one hacker can send out a million emails in an hour. To combat this, healthcare organizations need layered protection, along with user analytics and machine learning to find abnormalities.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com