During a time where hospitals are already strapped for resources, Mercy Iowa City hospital reported that an internal email compromise and phishing email incident led to the exposure of personal information of some 60,473 individuals.

Mercy has no reason to believe that any personal information or protected health information has been misused for the purpose of committing fraud or identity theft, or that any personal information or protected health information was actually viewed by any unauthorized party, says a press release. 

An investigation revealed that breached information contained personal or protected health information for certain individuals, and depending on the affected individual, their name, date of birth, Social Security number, driver’s license number, medical treatment information, and medical insurance information.

Mohit Tiwari, Co-Founder and CEO at Symmetry Systems, notes that organizations cannot turn on a dime to perfectly harden their infrastructure, so it is understandable that breaches can happen. "What would really help in this incident is to share details beyond 'employees email was compromised and some phishing happened' -- if that was all, how did 60,000 people lose their information? Tracing the attack from emails to data stores where critical data resides -- both SSN/financial and medical records were compromised here! -- is critical. Organizations can respond to this incident by buying more 'email security' -- instead, organizations can often find simpler fixes that stop stray phishing incidents from escalating into large data-store breaches," Tiwari adds. 

Cybersecurity firm Mimecast recently examined how cybercrime affects hospitals, finding that: 

  • 90% of healthcare organizations experienced email-borne attacks in the past year
    • 25% suffering from very or extremely disruptive attacks
  • 72% experienced downtime as a result of an attack

Lisa Plaggemier, Chief Strategy Officer at MediaPro, explains, “Like the vast majority of incidents, this breach reportedly started with a phishing email that compromised an employee’s email account. The volume of phish hitting company email gateways is mindboggling.  No matter how good the filtering is, there will always be exceptions – phish will land in employee’s inboxes. Training and awareness is critical for employees to recognize and report phishing.  Unfortunately, for many organizations, training budgets have suffered.  Due to COVID-19, budgets planned for training were used purchase technology to enable everyone to work from home securely. Training employees to recognize phish is also not a “one and done”. The best training is short, targeted and ongoing.”

According to Jack Kudale, founder and CEO of Cowbell Cyber, “Organizations that process protected data face a long tail of expenses following a data breach. This can rapidly rise into hundreds of thousands, if not millions of dollars, and is why cyber insurance is becoming a must, not a nice to have.“

Matthew Gardiner, cybersecurity strategist, Mimecast, says, "The successful cyberattack against Mercy Iowa City hospital that led to this data breach is extremely common. Cybercriminals often focus on stealing login credentials at targeted organizations and then using that access to breach other organizations or people that would trust email coming from that organization. Giving cybercriminals more than a month’s access to an organization’s email system is a recipe for a breach of this magnitude. Fortunately, there are some pretty simple security controls that can be applied to make this sort of breach much less likely. These controls include multi-factor authentication to make giving away access much more difficult, phishing controls that inspect and filter inbound, outbound, and internal mail flow to prevent the attacker’s initial access and spreading, and security awareness training to help staff become more aware and cautious of these sorts of email and other types of attack."