Security "Bits"

Healthcare Duped By “Spellcheck” Phishing Attack Again?

By Annie Wang | May 21, 2015 at 11:15 AM

caref1rst_attack“Fool me once, shame on you. Full me twice, shame on me” – Anonymous

This idiom has rung true in one of our world’s largest industries, healthcare. CareFirst Blue Shield made an announcement Wednesday May 20th, admitting that it had been the victim of a major data breach that compromised the records of 1.1 million customers. There is a very good chance that the same methods used in the Anthem and Premera breached were used again in this latest major breach.

CareFirst announced that the cyber criminals were able to gain access (and most likely steal) names, email addresses, birthdays and ID numbers. Luckily no SSN or credit card numbers were stored within the hacked database. 

Although it has not been confirmed, the same state-sponsored cyber criminals from China that carried about both the Anthem and Premera breach, may be the same that has left CareFirst the latest smeared healthcare organization.

But why is this happening so much?

It’s important to realize that cyber criminals are tactical. They are in most cases driven by the pursuit of financial gain. To them, healthcare data is the new data gold mine. In the past, much emphasis was placed on stealing credit card numbers. Today, the cyber criminal climate has changed. Medical data, which is now worth 50x more money on the black market than credit card data, is what criminals now have their cross heirs on, as it has the chance to turn into a major pay day in a black market bitcoin sale.

Meet the “Spellcheck” Phishing attack

So far, what we at Bitglass call the “Spellcheck” phishing attack, has resulted in two epic healthcare breaches thus far. The Anthem (largest breach in history) and the Premera healthcare breaches that together resulted in the loss of over 100 million sensitive customer records. The news of this new CareFirst breach may be the third in this trend of serial healthcare cyber attacks.

Here’s a break down of what we have seen so far:

On Feb 5th we learned that Anthem had been the victim of a healthcare breach. It was later determined that Anthem employees were fooled by an advanced phishing attack, and wound up delvering their personal access credentials directly to a cyber criminal owned subdomain site “”

On Feb 27th we learned that Premera had also been the victim of a very similar attack. This time, employees were fooled by a subdomain site with the name “prennera." 

On May 20th we have learned that a new subdomain called “” has been discovered, leading the world to believe that these breaches may be connected.

The “Spellcheck” phishing attack may very well be the most advanced spear phishing attack the world has ever seen. Playing off of human error makes preventing breaches/limiting the damage a people problem, just as much as it is a security technology gap. As you can now see by the examples, the cyber criminals use this attack to trick employees into forking up their credentials, and then revert them back to the legitimate site that the healthcare institutions owns. The employee has absolutely no idea about the cyber theft that just transpired.

The subdomains used are all extremely close in spelling to the legitimate healthcare site. “” looks very similar to “” if read quickly looks almost exactly like “ And now “” looks like “” I mean it even has a “1” in it!

While this attack is certainly not limited to just healthcare organizations, since the value of medical data is so high, healthcare organization should on extreme alert. Teach your employees about the “Spellcheck” phishing attack, and learn from the breaches that have taken place so far. 

Good luck. And remember, always check the spelling.

Download Healthcare Breach Report  


Chris Hines

Product Marketing Manager | Bitglass



see all