[I]nformation on about 2,300 patients at the University of Vermont Medical Center was accessible to hackers after two employees fell victim to a phishing scam in late May and early June, the hospital said.
No patientsโ Social Security numbers or financial records were exposed, the hospital said in a statement Friday. But the compromised accounts contained โmessages with patientsโ information, which may have included names, addresses, medical record numbers and clinical information, such as diagnosis, treatment, and medications.โ
The statement disclosing the attack said there is โno evidence that any patient information was used in any way.โ
During the attack, many employees received emails designed to look as if they had come from within the medical center administration.
In two cases, employees fell for the scam and provided personal information, which allowed the hackers to briefly take control of their email accounts.
The medical center network security team deactivated the accounts almost immediately, the hospital said โ as soon as its software detected the compromised email addresses sending out spam messages.
Heather Roszkowski, head of internet security for the UVM Health Network, said the hackersโ motives are a matter of speculation.
Keeping that in mind, she said, the contents of the outgoing messages sent by the compromised accounts suggest the attackersโ goal was increasing traffic to certain websites in order to make money from advertising.
Investigations by the medical centerโs IT team and its security contractors did not determine the source of the attack. Roszkowski said that was because hackers typically veil their true location and identity behind layers of convoluted intermediate connections.
The UVM network security team is familiar with the organization that, at the surface level, appeared to have sent the phishing attempt. But Roszkowski said sheโs confident it wasnโt the true source of the attack.
โI do not suspect them of having the hacker in their organization,โ Roszkowski said. โI think they were victimized, and if you went back โ if they were willing to release their information โ we would see a chain where the hackers were bouncing off of various organizations to really hide their true identity.โ
Michael Carrese, the UVM Medical Centerโs media relations liaison, said this attack was the first breach in the history of the medical centerโs employee network. The patient records system, he added, has never been breached.
Despite a good track record of cybersecurity, Roszkowski said, her department will review and enhance security protocols.
โYou never get to the point where you feel like this is good enough,โ Roszkowski said. โYou are constantly improving your (security) environment because the threats are always changing, the technology is always changing.โ
