UMass Memorial Health has become a victim to a phishing attack that allowed unauthorized access to employee email accounts from June 24th, 2020, to January 7th, 2021. After investigations concluded on August 25th, 2021, it was reported to the Department of Health & Human Services on October 15th that the incident affected more than 209,000 individuals. UMass Memorial health stated “We do not have any evidence that your information was in fact viewed or accessed, only that it was simply contained within an email account that was compromised.” Both hospital patients and plan participants were impacted. Compromised data included names, dates of birth, medical record numbers, health insurance and treatment information, dates of service, provider names, diagnoses, procedure information and/or prescription information, as well as subscriber ID numbers and benefits election information. Social Security numbers and driver’s license numbers were included for some people. UMass has not yet identified any misuse of the information, but as a preemptive measure they are offering a year of free credit and identity monitoring.
In situations like this it is important to highlight the importance of training staff on how to spot and report phishing emails. Organizations should enable multi-factor authentication (MFA) for not only external network connections, but internal as well. Spam filters can also be an effective tool when attempting to block suspicious emails from making their way into employee inboxes.