Exploit: Phishing scam
Sinai Health System: Chicago-based healthcare network
Risk to Small Business: 1.555 = Severe: Two employees fell for a phishing scam that gave hackers access to email accounts containing patients’ personal data. The attack, which occurred on October 16th, wasn’t discovered until December. In response, Sinai Health Network reset employees’ email passwords and provided employees with phishing scam awareness training to prevent a similar event in the future. Unfortunately, these actions cannot undo the damage of a data breach, and the healthcare network will now endure heavy regulatory scrutiny, as the Office for Civil Rights has launched an investigation into the incident.
Individual Risk: 2.285 = Severe: Patients’ personal information was compromised in the breach, including their names, addresses, dates of birth, Social Security numbers, health information, and health insurance information. Hospital administrators contend that there is no evidence of misuse, but patients impacted by the breach should not presume that their data is secure. Instead, they should closely monitor their accounts for unusual activity, and they should consider enrolling in identity monitoring services to ensure that their information isn’t misused down the road.
Customers Impacted: 12,578
How it Could Affect Your Customers’ Business: It’s inevitable that phishing scams will make their way into your employees’ inboxes. Fortunately, these attacks are useless if employees identify the threat and don’t engage with the email. Employee awareness training can empower email recipients to become a strong defense against phishing scams but waiting until after a breach to provide this training is fruitless. As Sinai Health System just learned, if employees aren’t ready to respond before an incident occurs, the training efforts won’t save your company’s data or its dollars.
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.