Imagine you receive an email at work announcing you’re getting raise.
To get it in your next paycheck, you simply have to click a link, then enter your employee ID number, your date of birth, and your home zip code.
Roughly one quarter of 5,000 employees of Atlantic Health System who received that message opened that enticing email recently, and two-thirds of those who opened the email went on to provide the information required for the raise, according to a company email which was forwarded to NJ Advance Media anonymously.
It turned out to be a computer security test run by the hospital system on its own employees.
Not everyone is happy about the test. One anonymous employee described it as the company lying to employees about a pay increase in order to conduct its test, and said employees were “angered” by the deception.
A spokesman for the five-hospital system apologized for dangling the prospect of a raise in front of employees – but not for conducting the security test itself.
“We do acknowledge that the email was upsetting to people, and we do apologize for that,” said Robert Seman, a spokesman for Atlantic Healthcare. “Our intention was not to antagonize, but to test our strength if we were attacked by criminals.”
Atlantic runs hospitals in Morristown, Summit, Pequannock Township, Hackettstown and Newton.
Hospitals have proved to be a favorite target of “phishers,” or cybercriminals who set up emails or entire websites that mimic reputable companies.
While some phishing attacks are designed to get credit card data from customers, attacks on hospitals are designed to get into the system through employee accounts.
Once there, the hackers can shut down access to all patient information until paid a ransom – often in bitcoins, the untraceable online currency. One small Los Angeles hospital paid $17,000 last February to regain access to its own computer system, according to published reports.
The fairly new technique installs what is called “ransomware,” which now accounts for 93 percent of phishing attacks, according to the security website PhishMe.com
Cyber experts say hospitals have proved to be particularly vulnerable because of their rush to convert to digital medical records, a switchover pushed by the Affordable Care Act.
“The cyber criminals are getting more and more ‘authentic’ in their methods, so we have to utilize what we’re seeing out there in our tests,” Seman said. “This is mimicking what we’re seeing coming in.”
The prospect of a salary increase was used in order to make the email test enticing, wrote Kevin Lenahan, chief financial and administrative officer, in a follow-up email to all employees.
“Likewise, we took measures to ensure that the fabricated phishing emails looked authentic,” he wrote. “For example, we used our AHS logo, an element included in past attacks by actual cyber criminals.”
Seman said the email was sent from a URL that was a variation of the corporate one, and even ended in “.com,” which should’ve been a tip-off to alert employees. The health system’s real website ends in “.org.” An outside security company prepared the test, he said.
Seman said those employees who were angered by the false enticement of a raise conceded security testing was necessary, but felt using a raise as bait was unnecessary. The hospital will avoid that tactic in the future, Seman said.
The bogus data request was sent to 5,000 randomly selected employees, or about a third of the health system’s 15,000 employees working at its five North Jersey hospitals.
Nearly ten percent of the employees reported the email as suspicious, and many employees warned their co-workers against clicking on the link or providing any personal information, according to Lenahan’s email to employees.
While the company has the names of the employees who responded to the fabricated email, it indicated it did not collect or share the personal information they entered. Those employees are not in any trouble for having failed the security test, Seman said. If anything, all employees might receive extra security training at some point as a result of the exercise, he said.
The follow-up email ends with a reminder: “Please remember that AHS will never solicit confidential, personal information via email.”