On July 29, 2022, Allegheny Health Network confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on AHN’s network through a phishing attack. According to AHN, the breach resulted in patients’ names, dates of birth, dates of service, medical record/ID numbers, clinical information such as medical history, conditions, treatments and diagnoses, addresses, patient phone numbers, driver’s license numbers and email addresses of an estimated 8,000 patients being compromised. Recently, AHN sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Allegheny Health Network data breach, please see our recent piece on the topic here.

Additional Information About the Allegheny Health Network Phishing Attack and Data Breach

According to a notice posted on the company’s website, on May 31, 2022, an unauthorized actor sent an Allegheny Health Network employee a malicious phishing email containing a link. The employee evidently clicked on the link, resulting in the unauthorized party gaining access to the employee’s email account. In doing so, the hacker also gained access to the sensitive patient information contained in the employee’s email account. It was not until June 1, 2022 that AHN discovered the unauthorized access.

In response, Allegheny Health Network shut down the compromised email account, secured its IT system, and then began working with outside cybersecurity professionals to investigate the incident. The company’s investigation confirmed that the unauthorized party was able to access patients’ protected health information that was contained in the affected email account.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, Allegheny Health Network then reviewed the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, date of birth, dates of service, medical record/ID number, clinical information such as medical history, condition, treatment and diagnosis, address, phone number, driver’s license number and email address.

On July 29, 2022, Allegheny Health Network began sending out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

Allegheny Health Network is a large healthcare provider network based in Pittsburgh, Pennsylvania. The Allegheny Health Network consists of multiple locations and practices, including:

• Allegheny General Hospital

• Allegheny Valley Hospital

• Brentwood Neighborhood Hospital

• Canonsburg Hospital

• Forbes Hospital

• AHN Grove City

• Harmar Neighborhood Hospital

• Hempfield Neighborhood Hospital

• Jefferson Hospital

• McCandless Neighborhood Hospital

• Saint Vincent Hospital

• West Penn Hospital

• Westfield Memorial Hospital

• Wexford Hospital

Allegheny Health Network is owned and operated by Highmark Health, an $18 billion healthcare company that owns several other healthcare practices and hospitals. Allegheny Health Network employs more than 21,000 people and generates approximately $3 billion in annual revenue.

Malicious Phishing Emails: The Weapon of Choice Among Cybercriminals

In a notice posted on the company’s website, Allegheny Health Network explains that the recent data breach was the result of a malicious phishing email. In recent months, a large number of healthcare providers have fallen victim to email phishing campaigns, resulting in millions of consumers’ information ending up in the hands of hackers. In fact, phishing is the most common type of cyberattack and has been for some time. For example, between 2019 and 2021, more than a third of all data breaches were the result of a successful email phishing attack.

Unlike a ransomware attack, phishing attacks do not require a hacker to breach a company’s network. Instead, hackers send a company employee a seemingly legitimate email hoping to trick an employee into either giving them the information they need to access the employee’s email account or clicking on a malicious link that downloads malware onto the employee’s device. In either case, phishing attacks are highly preventable because they rely on duping an employee into thinking that the email was legitimate.

Of course, employees are not to blame if they were not properly trained on how to detect a potentially fraudulent email. This is where a company’s obligations come into play. Organizations should implement strict training programs to educate employees not only about the dangers of phishing emails but also about how to recognize the signs that an email may be fraudulent. For example, hackers typically send phishing emails from domain names that are similar—but not identical—to the company’s actual domain name. For example, an email may appear valid if it comes from the domain ahn.com; however, Allegheny Health Network’s domain is ahn.org.

Additionally, companies that employ state-of-the-art data security systems can prevent these emails altogether or at least have mechanisms in place to quickly detect a breach. While these measures may come at a high cost for organizations, they are imperative when conducting business in an environment where phishing attacks are as common as they are today.