Skip to main content
Sister Publication Links
  • ESG: THE NEW IMPERATIVE
Subscribe
  • My Account
  • Login
  • Subscribe
  • News
    • Current News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Digital Health
  • Insights
    • ACA 10 Years After
    • Best Practices
    • Special Reports
    • Innovations
  • Data/Lists
    • Rankings/Lists
    • Interactive Databases
    • Data Points
  • Op-Ed
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Awards
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
    • Women in Healthcare
    • - Luminaries
    • - Top 25 Diversity Leaders
    • - Leaders to Watch
    • - Luminaries
    • - Top 25 Women Leaders
    • - Women to Watch
  • Events
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Custom Media Event: ESG Summit
    • Transformation Summit
    • Women Leaders in Healthcare Conference
    • Social Determinants of Health Symposium
    • Leadership Symposium
    • Health Care Hall of Fame Gala
    • Top 25 Women Leaders Gala
    • Best Places to Work Awards Gala
    • Top 25 Diversity Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Supply Chain Revenue Cycle
    • - Hospital at Home
    • - Workplace of the Future
    • - Strategic Marketing
    • - Virtual Health
  • Listen
    • Podcast - Next Up
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • MORE +
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Providers
March 17, 2016 01:00 AM

Spear phishing: A CEO's cautionary tale

Joseph Conn
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print

    Few healthcare executives want to talk about how their organizations fell victim to cyber crime.

    But Jack Lynch, CEO of the four-hospital Main Line Health, based in Bryn Mawr, Pa., thinks others can learn if he talks about how his organization fell victim last month to a “spear phishing” exploit.

    The system wasn't hacked, Lynch said, but was tricked into releasing data.

    On Feb. 16, an employee received an e-mail, purportedly from the hospital's chief financial officer, asking for specific payroll information on Main Line Health workers, Lynch said.

    “The employee put together the information for what the employee thought was a legitimate request and forwarded the information back” to the e-mail sender, thinking it was the CFO, Lynch said.

    Two days later, a different Main Line employee received a separate e-mail, purportedly from Lynch, asking for employees' W-2 information.

    This time, the would-be exploiters made a tell-tale mistake. The e-mail message was signed, John Lynch.

    “She knew it wasn't from me,” Lynch said. “I go by Jack.” The second employee deleted the message without reporting it to anyone.

    “At this point, nobody in management knew” that hospital employees had been targeted twice in two days, he said. They didn't know what was happening until March 1.

    That's when the IRS issued a national bulletin on a spear phishing campaign targeting payroll and human resources personnel.

    The employee who fell victim Feb. 16 read it, realized what had happened and called the health system's IT security, legal and compliance departments, Lynch said.

    Main Line immediately notified the FBI and the IRS, which launched investigations.

    On March 2, the other employee came forward, reporting there had been another spear phishing attempt. Main Line Health notified its employees, then the news media the same day.

    Employees have since been given credit counseling and monitoring services. It's likely, Lynch said, based on the IRS bulletin, that the attackers were wanting the information to file fraudulent income tax returns.

    No patient records were involved at Main Line, but spear phishing has been linked to some of the largest and most notorious medical record data breaches in healthcare history. They include the granddaddy of them all, last year's hack at insurance giant Anthem that exposed 78.8 million individuals' records.

    “I get a phising e-mail at least once a day,” Lynch said. Some are “very authentic” looking, so organizations that are service oriented and push employees to be responsive, can fall into these schemes.

    Already this month, Main Line has taken a hard look at its security practices and technologies, improving both through process changes, employee education and tech improvements.

    Lynch said fraud experts and the IRS have met with staff. He said the system also turned off old technology that might have made them vulnerable.

    New technology makes it “very clear when an e-mail looks like it's coming from outside the firewall,” Lynch said, but, “if your employees don't know to be on the lookout for the difference between an external correspondence and an internal correspondence, that's a problem. You have to educate your people about that.”

    Employees are also trained to report all suspected phishing attempts to the IT security department.

    “What I'm saying, we need to take it to another level,” Lynch said. “I don't know what industry to look at and say, they've got it figured out. One of my contacts said this is a never-ending process. I think the world has proven that. You've always got to outsmart the technology of bad people.”

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Dr. Alex Jahangir
    Q&A with Dr. Alex Jahangir of Vanderbilt Medical Center: 'It really was a big private-public partnership'
    rural-health2_i.png
    Readmissions and rural hospitals
    Sponsored Content
    Modern Healthcare A.M. Newsletter: Sign up to receive a comprehensive weekday morning newsletter designed for busy healthcare executives who need the latest and most important healthcare news and analysis.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Digital Health
    • Insights
      • ACA 10 Years After
      • Best Practices
      • Special Reports
      • Innovations
    • Data/Lists
      • Rankings/Lists
      • Interactive Databases
      • Data Points
    • Op-Ed
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Awards
      • Nominate/Eligibility
      • 100 Most Influential People
      • 50 Most Influential Clinical Executives
      • Best Places to Work in Healthcare
      • Excellence in Governance
      • Health Care Hall of Fame
      • Healthcare Marketing Impact Awards
      • Top 25 Emerging Leaders
      • Top 25 Innovators
      • Diversity in Healthcare
        • - Luminaries
        • - Top 25 Diversity Leaders
        • - Leaders to Watch
      • Women in Healthcare
        • - Luminaries
        • - Top 25 Women Leaders
        • - Women to Watch
    • Events
      • Conferences
        • Transformation Summit
        • Women Leaders in Healthcare Conference
        • Social Determinants of Health Symposium
        • Leadership Symposium
      • Galas
        • Health Care Hall of Fame Gala
        • Top 25 Women Leaders Gala
        • Best Places to Work Awards Gala
        • Top 25 Diversity Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Supply Chain Revenue Cycle
        • - Hospital at Home
        • - Workplace of the Future
        • - Strategic Marketing
        • - Virtual Health
      • Webinars
      • Custom Media Event: ESG Summit
    • Listen
      • Podcast - Next Up
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • MORE +
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing