Decatur, Texas-based Wise Health System began notifying 66,934 patients that their protected health information may have been exposed in a phishing attack, according to a Feb. 13 news release.
On March 14, 2019, several employees at Wise Health System fell victim to a phishing email. In the email, hackers asked employees to disclose their account credentials. After employees provided the information, the hackers attempted to reroute payroll direct deposits.
Wise Health System estimates that the hackers attempted to redirect around 100 direct deposit payments. However, the health system has a policy requiring a paper check be printed for two successive payrolls after a change to direct deposit information, which helped them discover the security breach.
In April, Wise Health System officials were suspicious about an unusually high number of printed checks. The health system issued a system-wide password change and hired a third-party forensic team to investigate.
Upon investigation, Wise Health System believes that the hackers were only trying to reroute direct deposits. However, since the attackers gained access to employees' email accounts, Wise Health System is notifying patients whose information was stored in the email accounts.
Patient data that may have been exposed included names, medical record numbers, diagnostic information, treatment information and health insurance information. Wise Health System said there is no evidence that patient data has been misused or even viewed.