Patients of Kent County Community Mental Health Authority impacted by Phishing Attack

Kent County Community Mental Health Authority of Michigan - better known as Network 180 - is notifying around 2,300 patients about their data getting potentially breached after numerous phishing attacks. A notice has been issued by Network180 on their site regarding a HIPAA breach, which said that "we are posting this notice as part of our serious commitment to privacy". The notice mentioned that "despite safeguards in place, bad-actors gained access to Network180 encrypted e-mail accounts through a phishing scheme".

As per the officials, three employees became victim to the targeted phishing campaigns that started on October 28, 2018. As common in the advanced phishing attacks, Network180 has received several "well-disguised emails" which appeared to have come from trusted source.

The officials added that between November 2, 2018, and November 13, 2018, three employees replied to the fake emails and have disclosed their credentials. This allows their encrypted email accounts getting accessed by unauthorized individual.

At least one of those compromised email accounts has the PHI (Protected Health Information) of patients. Many types of protected health information are there in the emails that are stored in compromised email accounts. The types of PHI that could potentially be accessed by attacker varies with every patient, but might have included names, dates of birth, addresses, Medicaid/Medicare ID numbers, ID numbers of Waiver Support Application (WSA), Internal ID numbers of Network180, healthcare providers names, schools which were attended, ethnicity/race, names of relatives, and 20 patients' Social Security numbers.

The notice issued by Network180 on their site said that "we cannot confirm what of this information was actually accessed or viewed by the intruder(s). We think it is unlikely that it was. However, since this information was potentially exposed, we want to be sure that the concerned public and community was notified". As per the officials, no financial data is believed to be exposed.

Upon discovery, Network180 launched an investigation led by their HIPAA privacy officer, HIPAA legal counsel, IT department, and HIPAA security officer. They concluded that the "inappropriate disclosure was not preventable".

Now, all the passwords have been reset and the unauthorized access is not possible. Further, additional safeguards were implemented for improving the email security. Moreover, all the affected patients were offered a minimum 12 months of free identity theft protection services by Experian.

» SPAMfighter News - 1/24/2019