US federal regulators have given the University of Washington Medicine (UWM) a $750,000 fine and a corrective action plan two years after a phishing-related breach hit the university and compromised 90,000 individuals’ records. This ‘resolution agreement’ is the first of its kind to stem from the investigation of a phishing incident and calls for the University to develop a current, comprehensive, and thorough risk analysis of its security risks and vulnerabilities.
The phishing breach occurred in 2013 after a “forged/hoax email containing malware in an attachment” managed to expose thousands of records, when an employee opened an email link to review the document. The malware provided potential access to contact and other information needed for billing patients that was stored in the files on the employee’s desktop computer.
This incident serves as a reminder to us all the potential risks we face from phishing scams and that it requires every University employee to be vigilant to safeguard the University against the increasing threat of targeted phishing attacks. Breaches like these are preventable with staff awareness and training. Cardiff University is launching an Information Security Training module in the New Year, covering a range of security topics, including how to identify phishing scam emails.