We recently used Presbyterian Health Services potential breach of protected health information (ePHI) as a case study in why employee behavior and training are key elements of security and compliance.
Not even a month later, and here we go again.
Last week, Grays Harbor Community Hospital in Aberdeen, WA issued a formal notice of a potential electronic protected health information (ePHI) breach. Like Presbyterian Health Services, this potential breach was the result of a phishing email. In this case, the attackers initiated a ransomware attack holding the organization’s medical records hostage and demanding a $1 million ransom to release the key to de-encrypt their data.
Grays Harbor seemed to have done everything right to prepare for this type of incident. They have an IT department, anti-virus solution, data backups, and even took out a $1 million cyber insurance policy.
Even though they seem to have followed the playbook, there are some lessons to be learned from this incident.