The Oregon DHS recently disclosed that the personal health information (PHI) of over 350,000 clients had been compromised in data breach. A phishing URL embedded into the spear-phishing email was clicked by nine employees, resulting in granting cybercriminals the access mailboxes of nearly 2 million of employee accounts.
On January 28, Oregon DHS confirmed that clients PHI had been accessible to unauthorized persons. Further unauthorized access to the compromised mailboxes was halted, but it could not yet be verified if any PHI had been stolen or inappropriately used.
The clients’ exposed PHI is covered by the HIPAA. This incident is considered a breach under the Oregon’s Identity Theft Protection Act. Information that may have been potentially compromised in the data breach includes the following: first and last names, addresses, dates of birth, Social Security numbers, case number, and other information used to administer DHS programs.
Cybercriminals are using more varied schemes for phishing attacks to compromise email accounts, among other services.
In January, the U.S. Secret Service shared information regarding spear-phishing emails that seem to link to an encrypted document. When users click on the URL, they will be asked to enter their email account credentials via a fake Office 365 login request form. If the users fall for it, cybercriminals gain access to their email accounts.
Phishing emails that steal email account credentials to take over mailboxes are still widely distributed. Millions upon millions of phishing emails that relied on highly deceptive tricks such as using bogus yet legitimate-looking format leading to fake login pages, to collect user credentials, have circulated the globe last year.
To avoid or minimize the damage posed by phishing attacks and other advanced email threats, consider using advanced security technologies.
Aside from using advanced email solutions, organizations can also enforce security policy and train employees on best practices against cyber malware.