Hospitals and healthcare organizations – many still burdened by COVID-19 and the changes it’s brought - continue to pose as attractive targets to hackers.

One organization, a Delaware-based eyecare office, was forced to disclose a breach from earlier this year this week after their email system was compromised, apparently in an attempt to carry out a business email compromise (BEC) attack.

BEC scams, attacks in which hackers trick executives and other C-suite workers into making wire transfers, are constantly evolving; they cost US businesses more than $2 billion in 2020.

It’s unclear how its email system was hacked in the first place but according to the company, Simon Eye Management, while inside, the unauthorized third party attempted to engage in wire transfer and invoice manipulation attacks against the company but none were successful.

While it’s not yet known how much the attack will cost the company, it did impact the data of more than 144,000 patients.

Information including protected health information (PHI) like name, medical history, treatment/diagnosis information, health information, health insurance information, and insurance application and/or claims information was potentially exposed according to the firm. Some patients had their Social Security number, date of birth, and financial account information compromised as well.

According to a disclosure notice, attackers managed to gain access to the firm's email environment between May 12 and May 28, 2021. It wasn't until more than a week later, on June 8, that Simon Eye discovered the attack and the corresponding activity however.

While the company claims its implemented data security protocols to enhance email security, it’s not clear what existing protocols it had to mitigate risk in the first place. That the firm can't definitively say whether the attackers viewed or took data with them suggests it lacked a way to monitor and protect its data.

While ransomware has ravaged facilities throughout the pandemic, breached PHI from cyberattacks continues to pileup too. Simon Eye is the latest in a long line of healthcare firms to fall victim this year.

A trio of attacks were disclosed just last month. The Chicago-area DuPage Medical Group had to notify 600,000 of its patients that their personal information may have been compromised. Metro Infectious Disease Consultants - another Illinois-based firm - had to inform 171,000 patients. 98,000 patients were impacted by a breach at Oklahoma's CareATC from June 18 and June 29. Another facility, Total Health Care Inc., based in Detroit, had to inform 221,000 patients in April.

That most of these facilities are outpatient centers and specialty clinics is not a coincidence.

As a report last month pointed out, outpatient facilities were breached just as often as hospitals from January to June this year.

“The causes of breaches at third-party vendors can run the gamut, ranging from poor access controls that fail to prevent vendors from seeing restricted data to phishing attacks,” the report reads. “As these and other third-party breaches continue to make the news, it demonstrates that attackers are paying more attention to this ecosystem of vendors as a vulnerable link in the cybersecurity chain.”

As PHI (and PII) can be held for ransom, sold, and used to file fake insurance claims, attacks against outpatient clinics seem set to keep pace with those against larger hospitals.