TUPELO, Miss. (WTVA) — A phishing attack in early July did not result in the online theft of financial or personal information, North Mississippi Health Services announced on Friday, Sept. 1.
The hospital system shared the following statement:
"Today, North Mississippi Health Services (NMHS) issued a notice on its website of a data security incident. While there is no indication that personal information has been misused, we take our commitment to protecting the privacy of our patients seriously.
On July 3, 2023, NMHS became aware of unauthorized access through an employee’s email account after a phishing email was unintentionally opened. NMHS’s Security Operation Committee was immediately notified and promptly shut down the system. Because of the swift response and security safeguards in place, NMHS ended the unauthorized access within 17 minutes. Upon investigation, it was determined some of the employee’s emails, which may have included attachments, were potentially accessed during that time. The information that may have been accessed was limited to patients’ names, dates of birth, primary physicians’ names and diagnoses or dispositions upon recent discharge from North Mississippi Medical Center-Tupelo. It is important to note that no financial information or Social Security numbers were accessed, nor were any electronic medical records. Additionally, there is no evidence any information has been misused. NMHS is notifying impacted patients directly as well as federal authorities.
Although NMHS is unaware of any misuse of patients’ information, patients are encouraged to remain vigilant by reviewing their account statements and monitoring their credit reports for suspicious activity. Patients can order a free credit report by visiting www.annualcreditreport.com or by calling toll-free, 1-877-322-8228.
NMHS is committed to the safety and security of its patients’ information and apologizes for any inconvenience or concern this incident may have caused."
According to IBM, phishing attacks are fraudulent emails, text messages, phone calls or web sites designed to trick users into downloading malware, sharing sensitive information or personal data (e.g., Social Security and credit card numbers, bank account numbers, login credentials), or taking other actions that expose themselves or their organizations to cybercrime.