You don’t have to have read any Hemingway or have had an uncle with a taxidermied marlin on the wall of his den to know about fishing for big ones.
And you don’t have to know very much at all to know about phishing for big ones. In fact, all you need to know about that thrilling online “sport” is encapsulated in the following story.
In accordance with its obligations under federal and state law, Orlando Family Physicians, LLC, recently announced that in April 2021, an unauthorized person, that is, a criminal, gained access to the email account of one of the practice’s employees through a phishing email. Eventually, the unauthorized access spread to a total of four employee email accounts.
Although the practice has announced that it is unaware of any misuse of the personal information about patients or other individuals, the following types of personal information were present, not necessarily all for any single person: name; demographic information; health information, including diagnoses, providers and prescriptions; health insurance information, including legacy Medicare beneficiary number derived from the individual’s Social Security number or other subscriber identification number; medical record number; patient account number; and passport number.
Several lessons can be drawn from the event:
1. Although the details of the practice’s operation are unknown, the breath of information that was exposed by way of the attack is shocking. What is all of that information doing within email accounts? Where is your patients’ PHI stored, and where is it, really?
2. Orlando Family Physicians discovered the breach and reacted within days. How quickly might you discover a similar breach? What processes do you have in place? What active security and privacy policies have you not only documented, but put into place? How long ago? When were they last revisited and revised?
3. That shiny object dangling in front of your eyes might not be the Mercedes S-Class or that Patek Philippe you’ve always wanted. It might be a hook. Don’t open wide, unless it’s to call me to discuss how to avoid being caught with, well, to mix metaphors, your pants down.