Authentic Recovery Center, a drug and alcohol treatment center based in West Los Angeles, recently experienced a phishing attack that resulted in the the personally identifiable information (PII) and protected health information (PHI) of 1,790 individuals being exposed.
Authentic Recovery Center discovered the phishing attack on June 21, 2018 and immediately launched a full investigation. The investigation confirmed that the breach was limited to a single email account. All other email accounts and systems remained secure at all times.
An employee responded to the phishing email and disclosed login credentials which were used by the attacker to access the account. The unauthorized access occurred on June 7, 2018 and access remained possible until the email account was secured on June 21. During that time it is possible that emails in the account were viewed and, potentially, the mailbox could have been downloaded. No evidence of misuse of patient and employee information was found.
An analysis of the compromised account revealed it contained the PII and PHI of clients and employees in messages and email attachments. Employee information accessible through the account was limited to names and driver’s license numbers, with the exception of two individuals who also had their addresses, contact telephone numbers, dates of birth, and Social Security numbers exposed.
For almost all individuals impacted by the breach, the risk of identity theft and fraud is low due to the types of information exposed. As a precaution, all individuals affected by the breach were provided with free credit monitoring services for 12 months. It was additionally recommended that impacted people should check their credit reports for any sign of fraudulent activity.
Authentic Recover Center has implemented additional controls to protect its email accounts and employees have been provided with additional training on securing sensitive information and data systems.