American health care service provider Kaiser Permanente recently fell victim to a security incident in which an unauthorized party gained access to an employee’s emails. In the process, the attackers had the opportunity to siphon off the sensitive data of nearly 70,000 customers.
Kaiser issued an online notification regarding the incident in early June. Many of those who may have been affected by the breach had already been notified by letter, according to the statement. The actual breach had already taken place on April 5th, 2022. The precise number of patients whose data may have fallen into the wrong hands, however, can only be discovered in an entry on the website of the U.S. Department of Health and Human Services Office for Civil Rights, which is also investigating the incident. They confirm that the sensitive data of 69,589 individuals was exposed to unauthorized access via the email account of a single employee at Kaiser Foundation Health Plan of Washington.
The number of those potentially impacted spectacularly underlines how damaging the ramifications of business email compromise (BEC) can be for a company, even without considering the sending of malicious messages from the highjacked email account – often the actual motive behind such attacks.
Just how the email account came to be taken over is not revealed in the statement released by Kaiser Permanente. It only mentions that the unauthorized access was terminated within hours by resetting the password for the email account. The employee in question was given additional training on safe email practices and the company is investigating other measures it can implement to ensure that incidents of this nature don’t occur again in future.
Technical and organizational steps to protect email communication, which remains business critical for companies, have long been an indispensable part of any IT security strategy. With its Secure Email Platform, Retarus offers a comprehensive solution for email: reliable, secure cloud enterprise services such as email security and continuity, transactional and marketing email, real-time monitoring and analytics, workflow, and routing services – all “made in Europe”, 100 percent GDPR compliant and provided from our self-managed, audit-ready data centers. Find out more on our website or directly from your local Retarus representative.