The Southwest Washington Regional Surgery Center (SWRSC) stated that they recently suffered a phishing attack that affected nearly 2,400 patients’ protected health information.
According to the official statement, cyber attackers potentially accessed the information between May 27, 2018 and August 13, 2018 through a phishing attack on one of SWRSC’s employees. The SWRSC stated that they’ve notified the affected users on November 6, 2018, about the breach.
“After an extensive forensic investigation and manual email review, SWRSC discovered on September 25, 2018 that the impacted email account that was accessed contained some Protected Health Information, including some patients’ names, Social Security numbers, driver’s license numbers, and/or medical information (diagnosis, treatment, surgery, medications, labs and/or health insurance information). A limited number of patients’ credit card numbers were also contained in the impacted email account. This incident does not affect all SWRSC patients,” the statement read.
SWRSC clarified the affected patients that no information has been misused. However, the health center reminded them to review their account statements for any fraudulent activity. SWRSC specified that they’re providing free credit monitoring and identity theft restoration services to the patients whose social security numbers or license numbers were compromised. SWRSC enhanced its email access protocols and updated its passwords to prevent similar issues in the future.
A recent study revealed that data breaches in Washington are continuing to rise. According to the third annual data breach report, Attorney General Bob Ferguson stated that around 3.4 million residents of Washington fell victim to data breaches between July 2017 and July 2018 and the number keep rising. Out of the three categories that Ferguson defined—malicious cyber-attacks, theft or mistake, and unauthorized access—malicious cyber-attacks are the leading cause of data breaches affecting Washington residents. The report also identified deficiencies in Washington state’s data breach notification law and suggested ways to strengthen the same.