Phishing Attack Results in $400,000 HIPAA Breach Fine



A Denver, Colorado area network of public health clinics paid a $400,000 HIPAA breach penalty after a phishing attack let a hacker gain access to employee email accounts and obtain electronic protected health information of 3,200 patients.  Investigators found the organization violated the HIPAA Security Rule by failing to do proper risk assessments or implement adequate cyber security measures and procedures. The official resolution agreement noted in part ” … The clinics have failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

Across the country employees are frequently exposed to advanced phishing and ransomware attacks. Your employees, then, may be the weak link in your IT security.
From worst to best, these are 5 ways often used to train end-users:

“Do Nothing”: rely on filters and count on users to not click on phishing links. 25% of organizations still use this tactic. No kidding.

“The Break Room”: herd all users once a year into the break room. Keep them awake with donuts and coffee during the death by PowerPoint slide deck.

“The Monthly Security Video”:  users are given short videos that each cover a topic related to keeping the network secure, but causing training fragmentation.

“The Phishing Test”:  select a group of high-risk users and send a mock phishing attack. Employees that fail are asked to do a short remedial training.

“The Human Firewall”:

1) Pre-test all users to find out your organization’s Phish-prone percentage and  get your baseline.
2) Train all your employees on-line, on-demand to resist important attack vectors.
3) Schedule monthly phishing attacks to all users year-round — Fully automated, super simple, highly effective, and very little time required.

What’s best? The Human Firewall. How do you create it? Baseline testing, training, downloadsimulated phishing attacks, reports and data analysis. But you don’t do it … you call The Network Division at 2-Way Communications.

We’ll provide you with the integrated Security Awareness Training and Simulated Phishing platform used by more than 8,000 customers nation-wide. Included in the training is world-class, user-friendly Security Awareness Training, along with self-service enrollment, pre-and post-training and a phishing security tests that show you the percentage of end-users that are Phish-prone. Additionally there are effective, frequent, random Phishing Security Tests with several remedial options in case an employee falls for a simulated phishing attack. The result is a platform to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks.

Contact The Network Division for more information or to set an appointment today. Give them a call (603-431-6288) or send an email to



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s