The mental health and substance abuse treatment provider InterAct of Michigan has announced that the protected health information (PHI) of 1,290 patients has potentially been accessed by an unauthorized individual who succeeded in gaining access to an employee’s email account. Patients affected by the breach had previously visited its clinics in Grand Rapids and Kalamazoo.
InterAct of Michigan became aware of the breach on June 8, 2018 and immediately launched an investigation to determine whether PHI was accessed and the extent of the security breach. Access to the employee’s account was immediately terminated and a computer forensics company was called in to help with the investigation.
The investigators issued a statement on July 30, 2018 confirming the PHI of some patients was potentially accessed through the email account. No other systems were compromised. The exposed information included patients’ names and Social Security numbers and some patients may also have had their birth date, prescription information, and treatment records exposed.
Because of the sensitive nature of the data that was exposed, all impacted patients were offered free identity theft protection services for one year. InterAct of Michigan has now sent notification letters to all affected people and Department of Health and Human Services’ Office for Civil Rights on August 7, 2018 has also been informed of the breach.
Steps have now been taken to enhance security to avoid further data security breaches, monitoring of email accounts has also been enhanced and email access logs are now being checked on a weekly basis. InterAct of Michigan has also set up a new rule that prohibits the forwarding of emails to external email accounts.