I needed to write an article and was looking for ideas and figured the crystal ball thing worked so well I should check it again. Really, no, I didn’t use one but it sure felt like it when I read the notice published about the Baylor Medical Center’s breach.
Baylor Regional Medical Center has notified 1,981 patients that their information was compromised when a small group of the medical center’s affiliated physicians responded to phishing emails.
Here is the crystal ball part. On February 24, 2014, I posted an article to this blog titled: Who is phishing for your PHI? and specifically mentioned the techniques used in this attack. They state in their notification that they made the discovery on February 24, 2014.
No, I did not do it! I do have a bit of a creepy feeling about the coincidence though.
Thankfully, it appears no harm has come from the attack that they have found, so far. But, they have added more training concerning phishing in response to the situation.
Take note that it was a small group of affiliated physicians that fell for the scam. That says to me that a small practice created this problem for the hospital. I’ve lost count of the number of times I’ve heard “The hospital takes care of that” from small practices either owned or closely affiliated with the hospital. This is a clear example of two points in response to that statement.
- The hospital clearly doesn’t take care of everything for you.
- You have to step up and take care of this HIPAA compliance stuff before you put yourself and your affiliated hospitals, practices and BAs in serious hot water. This isn’t optional any longer.
It also reiterates the need for an on-going security awareness and training program in all sites, large and small. If you get busy doing your normal work you forget about the things that might be lurking in that laptop, tablet, phone, etc. that is helping you do that work. You need constant reminders of the dangers out behind that screen.
Filed under: HIPAA Tagged: Breach Case, Breach Notification, Compliance, Small Provider, Training