Colorado-based Summit Pathology Laboratories, Inc., reported a major cyberattack to the U.S. Department of Health and Human Services (HHS), confirming that during an April 2024 attack, 1,813,538 patients’ protected health information (PHI) was compromised.
On April 18, 2024, Summit Pathology detected suspicious activity within its systems. Thereafter, a third-party forensic cybersecurity team found that unauthorized actors had infiltrated Summit’s systems. The breach exposed sensitive patient information, including names, addresses, Social Security numbers, financial and insurance details, medical data, and specific diagnoses.
The Medusa ransomware group is suspected of being behind the attack. Reports also indicate the incident started with an employee clicking on a malicious email attachment, which gave the hackers access to Summit’s systems.
Though it remains unconfirmed if a ransom was paid, Summit’s data is not listed on the Medusa leak site, where data of non-paying victims typically appears.
See also: How do email phishing attacks impact HIPAA compliance?
In a public statement, Summit Pathology stated, “We value data privacy and sincerely regret any inconvenience this matter may cause. Our patients’ confidence in our ability to safeguard personal information and patient peace of mind are very important to us."
Additionally, the organization is offering affected individuals an identity protection service with $1 million in coverage.
The healthcare sector has become a prime target for ransomware groups who use sophisticated phishing emails to reap financial rewards. Research also shows inadequate training and awareness increase vulnerability, making healthcare employees susceptible to deceptive email attacks.
Healthcare providers must use a HIPAA compliant platform, like Paubox, to reinforce email security. Paubox email uses real-time threat detection to prevent unauthorized PHI access and data breaches.
Additionally, healthcare organizations must regularly train employees on HIPAA compliant practices, including identifying and reporting suspicious emails, best practices for email security, and what to do in case of a data breach.
Related: HIPAA Compliant Email: The Definitive Guide
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
Phishing is a cyberattack where attackers impersonate legitimate entities to deceive individuals into disclosing sensitive information, like passwords or financial details. The attackers usually send fraudulent emails with links to websites running malicious code or to download and install malware.
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.