Outcomes - Selected Case Summaries
Categories
A healthcare provider suffers phishing attack from former employee emails
Decisions | 29 May 2023
A healthcare provider reported that employee email accounts were subject to a phishing attack targeting the company's Cayman office. Initially, the attack was seen as a spoofing attempt, without any personal data being breached. However, later reports unveiled that various types of data subjects had been affected, including clients and vendors. An investigation was initiated by the company's IT service provider, and clients were made aware of the breach, as was the Office of the Ombudsman.
The healthcare provider immediately changed all passwords on all company devices. Their IT service provider recommended the implementation of a quarterly user awareness training program on data protection and phishing, an SIEM (Security Information and Event Management) solution for central saving, a policy to block USB devices from workstations, multi-factor authentication on all remote services, a mobile device management solution, restricting external laptop usage to management staff and during emergencies, and a review of current policies. We added a regular review of overall security and processes to that list, to reflect best practices.