Recently, Saint Joseph’s Healthcare System in New Jersey announced that more than 5,000 employees at some of its facilities may be at the risk of identity theft following a phishing scam which potentially compromised their information.
Saint Joseph’s Vice President of External Affairs Kenneth Morris Jr. stated “patient data and medical information were not affected, but employee’ names, social security numbers and employee earnings of 2015 and 2016 were potentially accessed.”
This was a big pay day for the perpetrators of this crime. This treasure trove of information represents the golden keys for financial gain on many fronts. Tax refunds from the Internal Revenue Service and/or State Agencies, loans, credit cards.
What is phishing? Wikipedia’s definition is: “the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.”
So how does one prevent a phishing act? Education! Many of my clients have started to create a 140 character rotating informational “pop-ups”. The pop-ups are scheduled when an employee logs onto their computer. Another client has created a rotating banner with a single message. To ensure employee engagement many of my clients have also created a weekly contest with questions from the rotating pop-ups. There are gift card prizes for the first and second place winners.
Who is the real winner here? I believe it is the organizations who are taking proactive approaches to stemming these crimes. Data statics tell us that over 68 present of all intrusions are due to employee actions.
The Federal Trade Commission (FTC) published a consumer educational piece dated September 2011. They identified the following as examples of known phishing emails messages:
"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
“Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
The FTC asks that a report be filed with them if you have been tricked by a phishing email. The report can be at www.ftc.gov/complaint.
Additionally, the FTC recommends that you forward the phishing email back to the company, bank or organization which was impersonated in the email and report the phishing attack to firstname.lastname@example.org email@example.com.
In all my educational seminars, I close with this mantra: “Knowledge is Power”! Take back the power and provide your staff members with education.
Judith is the CEO of JAL Consult and holds the accreditation of Certified HIPAA Professional (CHP). As a consultant, Judith provides guidance for organizations within the HIPAA framework. Judith develops and implements reasonable and appropriate compliance programs, develops employee training programs and participates in compliance presentation and speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter atwww.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.