Annals of Security: The Phishing Scam at UCSF

Last September, a faculty physician at UCSF Medical Center received an email that appeared to have been sent by the hospital IT staff. The email asked the physician to provide his email login and password information so the staff could implement routine security upgrades on its servers.

It seemed like an ordinary request, so the physician provided the information.

It turns out the email was produced by a scammer, and the result was that the physician had unwittingly exposed the personal information of 600 patients.

When bona fide USCF security officials identified the breach, they deactivated the compromised account and alerted affected patients that a hacker may have obtained access to emails containing their demographic and clinical information, and in 4 cases, their Social Security numbers as well.

UCSF claimed in a press release that it had no proof that unauthorized access in fact took place. It nevertheless advised affected patients to (1) review the “explanation of benefits” sent by their health insurer, (2) look for payments they do not recognize, and (3) report any unusual payments found to their insurer or provider.

The university also set up a toll-free number to help people with questions or concerns and provided re-education to employees about protecting user IDs and passwords. It declined to identify the physician.

A Spreading Concern
The UCSF incident is just the latest of a recent string of phishing scams targeting financial institutions, large companies and health care organizations.

In December for example, the CDC warned the public about fraudulent emails requiring users to create personal H1N1 vaccine profiles as part of a CDC-sponsored program to track the spread of the epidemic. A link in these emails sent recipients to a sham CDC Web site. According to the CDC, hackers likely exported malicious software onto victims' computers once they clicked on the link.

The UCSF scam is a type of "spearphishing," which is similar to, but not the same as phishing. Both are implemented using legit-appearing emails. But while phishing emails are distributed to as many email accounts as possible, spearphishing targets specific groups by pretending to be an entity with whom the recipient routinely exchanges information, such as an employer or an insurance company.

Phishing and spearfishing scams generally unfold in one of two ways. The first one is like what happened at UCSF: a hacker sends a legit-appearing email that asks for login information or credentials, and then uses the info to access confidential information. The second is like what happened to the CDC: the email includes a link to a Web site that looks legit, but by clicking on the link, you’ve planted their malware on your own machine. The malicious code enables the hacker to gain access to your computer or network.

From that point, the hacker can observe everything you do, including how you access your financial accounts or patient confidential information.

No one knows exactly how much of this goes on, but security experts say it's commonplace. Scams aimed at physicians are often launched by disgruntled employees who know which organizations (e.g. hospitals, insurers, and billing services) are in frequent email contact with the practice.

How can you Protect Yourself?
It’s often difficult to distinguish fraudulent from legitimate emails, Robert Siciliano recently told Amednews. But there are clues, according to the CEO of IDTheftSecurity.com.

It’s wise to beware of emails from companies you don’t currently do business with, for example. This would catch some of the recent phishing scams that use emails from social networking sites and online retailers.

In other cases, the email appears to come from a familiar company, but the email addresses or URLs are a bit off. For example, an email appearing to come from Bank of America could contain a URL for Bank of Americas, with an "s," according to Siciliano.

But even if the email appears totally legit, Siciliano warns not to click on links contained in email. He recommends that physicians should instead bookmark frequently visited sites and use the bookmark instead of links in email.

Another thing to avoid is email attachments containing the extension ".exe." This suffix denotes an executable file, which could be malicious code. That said, sophisticated hackers know how to change file extensions to less obvious suffixes.

Physicians should also warn employees about these scams, especially the ones who communicate frequently with financial institutions and insurers.

Glenn Laffel MD, PhD
Sr. VP Clinical Affairs, Practice Fusion