Phishing Attack on Kent County Community Mental Health Authority Exposed Patient PHI

A targeted phishing attack on Kent County Community Mental Health Authority, dba Network180, began on October 28, 2018.

Just like most advanced phishing attacks, the attacker made it seem that the phishing emails had been sent from a trustworthy source. From November 2 to November 13, three employees were tricked into responding to the emails and revealed their account credentials to the attacker, who used the credentials to access the email accounts.

One of the three compromised email accounts contained the protected health information (PHI) of Network180 patients. A broad range of PHI was present in the emails in the account.

The kinds of information that the attacker could have accessed differed from one patient to another, but might have included names, dates of birth, addresses, Internal ID numbers, Medicaid/Medicare ID numbers, names of healthcare providers, Waiver Support Application (WSA) numbers, schools that were attended, ethnicity/race, names of relatives and the Social Security numbers of 20 patients. Financial data is not believed to have been compromised.

As per the results of the internal investigation of the breach, no proof was found to indicate the accessing, viewing or misuse of PHI by the attacker.

Network180 had implemented measures to prevent successful phishing attacks, although the attacker was able to bypass those defenses. The IT department, HIPAA Security Officer, HIPAA Privacy Officer and Network180’s HIPAA legal adviser conducted an internal investigation and determined that it was not possible to avoid the attack.

In response to the breach, all passwords were reset to block unauthorized access. Additional safeguards have also been implemented to enhance email security.

Although the risk of PHI access/theft is believed to be minimal, as a safety precaution, Network180 has offered all patients affected by the breach one year of free identity theft protection services via Experian.