Phishing Attack Exposes Patient Records in Washington

A Vancouver surgery center notified more than 2,000 patients of a recent email-based cyberattack and data breach that targeted Social Security, credit card numbers and other personal information.

by Anthony Macuk, The Columbian / November 14, 2018
Shutterstock

(TNS) — The Southwest Washington Regional Surgery Center in Vancouver has been hit by a data breach, which may have revealed personal information from 2,393 patients including names, Social Security numbers, driver license numbers, medical information and some credit card numbers.

Not all patients were affected. A notice posted on the center’s website says the office notified the 2,393 affected patients last week, on Nov. 6.

The breach involved a phishing attack that allowed hackers to gain access to one employee’s email, according to the notice. The list of affected patients and compromised data was determined by reviewing the emails on the employee’s account.

The notice says that the email box was compromised between May 27 and Aug. 13. After learning of the breach, the center hired external cybersecurity professionals and launched a forensic investigation, which concluded Sept. 25.

The center is offering free enrollment in a credit monitoring and identity theft restoration service for impacted patients, and the company also notified patients about ways to protect their information including monitoring their bank statements and placing a security freeze on their credit files.

The website notice says the company has found no evidence the compromised information has been misused.

The company has set up a response hotline for affected patients: 888-891-8399. The center has also updated its passwords and enhanced its email access protocols to prevent further breaches.

A representative at the hotline and an employee at the company’s office said they would forward questions about the breach to center officials. Those officials did not return the calls on Tuesday.

The Southwest Washington Regional Surgery Center is an outpatient surgery center that performs general surgery and also features a variety of specializations including orthopedic, spine, podiatry, pain management and plastic surgery. The center handles almost 8,500 cases per year, according to its website.

News of the center breach comes just a month after a similar breach was publicly reported by Vancouver-based Rebound Orthopedics and Neurosurgery, which operates offices in the same building where the center is located: the Physician’s Pavilion building at PeaceHealth Southwest Medical Center.

Rebound and the center appear to be primarily owned by the same group of physicians, according to the center’s website and business registration records at the Washington State Department of Revenue.

The two breaches also share some characteristics; the Rebound breach was reported to have taken place on May 22 — just a week before the center breach — and also involved a successful phishing attack that gained access through a single employee’s email account.

However, a Rebound official named Todd Carpenter, reached by email on Tuesday, said the two data breaches were unrelated.

Rebound executive director John Bauman told The Columbian in October that the company’s employees are trained to scrutinize suspicious emails, but the phishing email appeared to have been sent by a known representative of the company’s landlord.

According to PeaceHealth spokeswoman Debra Carnes, the Pavilion building is physically connected to the adjacent PeaceHealth hospital and PeaceHealth leases some of the Pavilion’s offices, but the building itself is not owned or operated by PeaceHealth.

The Physicians Pavilion building appears to be owned by Pacific Medical Buildings, a California-based real estate company. The company’s website advertises vacant office suites in the Pavilion. Pacific Medical Buildings did not return calls requesting comment when the Rebound breach was reported in October, and again did not return calls on Tuesday.

©2018 The Columbian (Vancouver, Wash.). Distributed by Tribune Content Agency, LLC.