Beazley, a specialist insurer, recently provided information on the ever-increasing email breaches that are leaving protected Health Information (PHI) vulnerable.

Beazley has a Breach Response Service that allows them to gather statistical information and provide that to the general public to help fight cybercrimes.  While Beazley focused primarily on Office 365 users in their latest report, they found great information that anyone can use.  During the second quarter of 2018, they discovered that email breaches constituted 23 percent of the incidents reported by their clients. It doesn’t appear that any one industry was targeted.

Beazley warns people that business-email compromises are an extremely efficient way to get information, especially if they gain access to the right account.  Think about it- what kind of information do you use your work email for?  Probably talking to your coworkers about patients that are being seen in the office.  You might even use it to email patients directly if they have questions or concerns.

If your email account was compromised and an attacker acquired access, they could gather quite a bit of information just by combing through your emails.

Even if you don’t have much patient information in your email, those emails that go back and forth between your colleagues can give an attacker ample information for spear phishing attacks.  Spear phishing attacks are when an attacker gathers information to target specific people, such as your finance department or CEO of a company.

You may see similar ones in everyday life, like the Prince from some African country asking you to pay for his trip out of the country. Not as tricky. But, think about if an email looked like it was coming from your boss and the email asked you to provide account information or social security numbers for 100 patients.

Beazley also mentions that these email compromises are easily preventable, though you may need to get your IT person involved.  By instituting two-factor-authentication requirements, this will help protect you email account.  Beazley anticipates regulators will be cracking down on these types of breaches, and possibly make examples of a few companies in doing so.

If the fear of potential crackdowns from the government aren’t enough, the potential costs of such a breach can become quite expensive.  If a breach of an email account is discovered, now your company has to enlist someone, probably a forensic or incident response firm, to comb through all those emails in your account, searching for anything that might be a true breach, like patient information that was viewable.  While there is software that can help, it still takes the human eye and past knowledge to really determine if anything is cause for concern; and, that’s a pricey service.


To learn about how you can help prevent email breaches and other ways to protect your patients’ information, join HIPAAgps now.  The nearly one-hour training will provide information on this and give your employees quizzes so they can show they understand how to help protect your organization.