Hackers are’t the only threat to your data. A Stolen iPhone creates a major headache for Catholic Health Care Services.

When most of us envision a data breach, our imaginations conjure up the image of a shadowy hacker, writing code, glued to a computer, demanding ransom in bitcoins or selling people’s personal information for profit on the deep web.

However, the truth is slightly less intriguing, yet just as damaging. The reality is that most data breaches stem from the behavior of an organization’s own employees.

A recent Forrester study shows that the majority of data breaches, 61%, start with negligent or malicious employees. Negligent employees account for 36% of data breaches. This could include, for example, a stolen iPhone (as in the case of Catholic Health Care Services) or an employee replying to scammers posing as clients. Malicious employees account for an additional 25% of all data breaches. This could include a disgruntled employee intentionally stealing or destroying data.


While many phishing attacks target credit card data, attacks on hospitals have a different objective and that is to access the system by using employee accounts.

The High Cost of Employee Negligence

This July, the Catholic Health Care Services of the Archdioceses of Philadelphia (CHCS) was hit with a HIPAA fine of $650,000 resulting from employee negligence.

The Office for Civil Rights (OCR), which enforces HIPAA, began investigating CHCS when it was informed of an employee’s stolen iPhone that lacked encryption or password protection. The stolen iPhone included extensive PHI including social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians and medication information.

While CHCS is feeling the sting of employee negligence due to a stolen iPhone, many organizations are feeling the pain by way of email scams.

In fact, the threat of phishing attacks and spoof emails is so widespread that organizations are now running security tests on their own employees.

Recently, Atlantic Health System, located in New Jersey, sent an email certain employes stating that the raises would be granted. In order to see the raise in the next paycheck, the employee simply had to click a link, enter an employee ID, date of birth and home zip code.

Atlantic Health System sent the spoof email to 5,000 of its 15,000 employees and one quarter of the 5,000 who received the email opened it and two-thirds of the employees who opened the email actually provided the information required for the raise.

While many phishing attacks target credit card data, attacks on hospitals have a different objective and that is to access the system by using employee accounts. Once the hackers have broken in, they can install ransomware and lock down files. In February, Hollywood Presbyterian Medical Center was the victim of such an attack.

While a number of Atlantic Health System’s employees felt tricked by and angered that the organization would use the story of a pay increase to test employees, Mac McMillian, of the security firm that ran the test, said the salary notification was necessary. “This one obviously struck a chord with the users,” McMillan said of the spoof email. “Instead of stopping and thinking, ‘Is this the normal way I would be notified about getting a raise?,’ employees thought, ‘Oh good, I’m going to get a raise.'”

How can Mice 360 combat employee negligence?

In order to avoid data breaches resulting from employee negligence, organizations must rely on more than today’s outdated and ineffective security methods. In the case of CHCS, which is suffering due to a stolen iPhone, what’s needed is a layered security defense that includes data encryption, multi-factor authentication and the ability to remotely lock down a stolen iPhone or mobile device.

At Mice 360, we provide all three.


Data must be secured at the data level, meaning each and every individual file must be encrypted. By encrypting data at the data level, organizations benefit from data security that travels with the data, even when it is sent across domains.


Passwords are constantly hacked. Multi-factor authentication creates a layered identity management defense. In order for a user to access data, two or more credentials must always be entered – this could include a password along with biometric verification or a security token.


A secure, enterprise space must be created on BYOD/non-enterprise devices (smartphones, tablets, laptops). In the event of a stolen iPhone or lost mobile device, remote logout can be used to mitigate data theft.

To learn more about how Mice 360 can protect your organization in the event of a phishing attack, check out our latest post on ransomware protection or contact us today.

Leave a Reply