2,290 Patients got notified about Phishing Attack on Harbor Behavioral Health

Harbor Behavioral Health (HBH), a network of mental health treatment and counselling centers based in Northwest Ohio, found that an unauthorised person had used an HBH employee's email account in order to access their network containing patient PHI. This discovery was made on Feb. 13, 2019.

An outside computer forensics firm was hired by HBH to assist in this breach investigation. The HBH investigators found that the unauthorised person had access to that employee email account in between Dec. 2018 and Feb. 2019 (i.e. for three months). They also discovered a second compromised employee email account at the time of investigation, and attributed this second breach to that same unauthorised person. In both the cases, HBH immediately terminated the unauthorized access to those employee email accounts and they were also secured.

The investigators analysed both compromised employee email accounts in order to determine the types of PHI that might have been accessed by the hacker. The compromised employee email accounts included various patient information like names, health insurance details, dates of birth, as well as information related to services provided by the HBH. Some patients Social Security numbers as well as driver's license numbers were also exposed. Overall, the unauthorised person has compromised 2,290 patients PHI in those two email accounts after gaining access of HBH's network. All the 2,290 patients were notified about the phishing attack.

Patients whose data have been accessed by that unauthorised person are at a more risk of having identity theft along with other types of fraud. To lessen the dangers of data misuse, complimentary identity theft protection and credit monitoring services were offered by HBH to all the patients whose driver's license number or Social Security number was exposed.

Apart from securing the accounts, HBH has taken steps to strengthen the access controls in order to block the unauthorised persons using the external IP addresses. The HBH have also increased the log reviews along with the automated alerts frequency, and has strengthened their security processes.

Additionally, HBH has provided training to the employees to assist them to detect and therefore avoid those phishing emails.

» SPAMfighter News - 5/17/2019