Kalispell Regional Healthcare (KPH) revealed that a phishing attack might have exposed patients' personally identifiable information (PII).
Over the summer of 2019, KPH learned that several employees unknowingly handed their business email account credentials over to malicious actors after falling for a phishing attack. The Montana hospital responded to this discovery by disabling affected employees' email accounts, notifying law enforcement and enlisting the help of a digital forensics firm to investigate what happened. This effort revealed that malefactors might have access patient's PII including their names, Social Security Numbers, medical history and health insurance information. Craig Lambrecht, MD, president and CEO of KPH, revealed that the investigation turned up no evidence of anyone having misused patients' information. Even so, he said it was important to take extra precautions to protect everyone whom the incident might have affected. He said this decision stemmed from KPH's commitment to its patients. As quoted in a news release posted on the hospital's website:
We are committed to protecting the privacy of our patients and have taken steps to prevent similar events from occurring in the future.... Our relationship with our patients is our most valued asset. I want to personally express my deepest regret for any inconvenience that these criminal actions may cause our patients and their families.
In support of that commitment, Kalispell Regional Healthcare mailed out notification letters to potentially affected patients. KPH used these letters to offer complimentary fraud consultation and identity theft restoration services to affected individuals. At the same time, the hospital took steps to prevent a similar incident from occurring in the future. One of the best ways that healthcare organizations can help prevent a phishing attack is by educating their employees about some of the most common types of these campaigns using a security awareness training program. This resource can help lay the groundwork for these training sessions.