Unauthorized access to an employee email account at Mercy Hospital in Iowa City, Iowa may have revealed the personal information of over 60,000 residents of Iowa, according to a notification that the hospital and its attorneys filed with the state and sent to affected individuals. The data revealed included names, Social Security numbers, driver’s license numbers, dates of birth, medical treatment information and health insurance information. The email account was compromised from May 15, 2020 until June 24, 2020 when the unauthorized access was discovered after the account sent spam and phishing email messages. A more thorough investigation was conducted several months later, in October, which revealed that the data in the email account contained protected health information.
Attackers frequently target email accounts for compromise because of the wealth of sensitive information that is often available, and because email access can be used to reset passwords for almost any other account, giving the attacker control over much more information and the ability to initiate financial transactions. For these reasons, it is extremely important to protect email account access with more than just a password. Multi-Factor Authentication (MFA) using a mobile app that generates one-time passcodes is much stronger than password authentication and should be used to protect all corporate email accounts. IT professionals who are responsible for setting up email access should ensure that no “legacy authentication” methods (such as SMTP, POP3 and IMAP) are allowed to bypass the MFA requirement. Security analysts should also review any suspicious login events coming from IP addresses that are unusual for the user of the account, but with remote workers traveling, that analysis can be difficult and is always a step behind the attackers. Proactively locking down access to accounts using MFA is a much more effective approach.
For more information on the Iowa City incident, please read: https://www.kcrg.com/2020/11/18/mercy-iowa-city-reports-data-breach-over-60000-iowans-affected/