The firm sent 5,000 randomly selected employees an email announcing a pay rise. Enclosed instructions told recipients to click a link and enter their employee ID number, date of birth and home post code, according to New Jersey based media outlet NJ Advance Media.
A message sent to the publication anonymously said that one quarter of the firm’s staff opened the email. Two-thirds of this group then provided the requested information.
However, the emails turned out to be a computer security test run by the hospital to probe how safe the company was from phishers. These are individuals who mimic reputable organisations in order to get personal information from their victims.
Some employees were unhappy about the test with one anonymous staff member telling NJ Advance Media that the company had lied to employees who were “angered” about the apparent deception.
While a spokesperson for the five-hospital system apologised for using the prospect of a pay rise, he refrained from apologising for the test itself.
“We do acknowledge that the email was upsetting to people, and we do apologise for that,” said Robert Seman. “Our intention was not to antagonise, but to test our strength if we were attacked by criminals.”
Hospitals have a “mother lode” of information for hackers, said Mac McMillan from CynergisTek, the firm which ran Atlantic Health System’s exercise. This includes birth dates, social security numbers and financial data of patients.
“We do those phishing exercises for a lot of hospitals across the country, and the fact is those hospitals that run test exercises have a much better chance of avoiding a future incident,” he said.
A phishing test is designed to create an emotional response strong enough to override the recipient’s caution, McMillan added.
“This one obviously struck a chord with the users,” he said. “Instead of stopping and thinking, ‘Is this the normal way I would be notified about getting a raise?’ employees thought, ‘Oh good, I’m going to get a raise’.”
Pay issues and benefits are often used in real phishing attacks, he continued, adding that the method was not over the line.
“We have to help our employees become more sensitised as to what the bad guys will do.”
The US-based non-profit healthcare organisation, Atlantic Health System, has come under fire for an email which employees have claimed is deceiving.