On June 28th and July 9th, at least two employees of the Minnesota Department of Health fell prey to phishing attacks allowing the attackers to access over 21,000 patient records. The successful attack was not identified by IT staff until August, providing attackers roughly a month of access to the files. Both accounts were secured once discovered by the IT Department.
Other employees may have been targeted but at this time it is unknown if any other employees clicked on the malicious links as the investigation is still ongoing.
The e-mails attackers gained access to contained names, addresses, phone numbers, Social Security numbers, employment information, and other personal data.
According to officials, Minnesota’s executive agencies have been experiencing an increase of targeted phishing campaigns. Minnesota DHS is continuing to increase employee education regarding e-mail and best practices as well as incident response.
This unfortunately is not uncommon, as also this month, California-based Gold Coast Health Plan revealed they too were a victim of phishing and began to notify their 37,000 affected patients. Attackers also had access to data for approximately a month before it was discovered.
Attackers use can use highly targeted methods to try and fool users into clicking malicious links. User awareness training and a general sense of suspicion is the best method of combating these attacks. If an attacker is successful, network monitoring and access control management tools are the next line in keeping a successful attack contained.