A targeted phishing attack on Kent County Community Mental Health Authority, dba Network180 began on October 28, 2018.
Just like most advanced phishing attacks, the attacker made it seem that the emails were sent from a trustworthy source. From November 2 to November 13, three employees were tricked into responding to the emails and revealed to the attacker their account credentials. Hence, an unauthorized person got access to their encrypted email accounts.
One of the three compromised email accounts stored the protected health information (PHI) of Network180 patients. A broad range of PHI were found to have been included in the email messages in the exposed account.
The kinds of information that the attacker could have accessed differed from one patient to another, but might have involved names, dates of birth, addresses, Internal ID numbers, Medicaid/Medicare ID numbers, names of healthcare providers, Waiver Support Application (WSA) numbers, schools that were attended, ethnicity/race, names of relatives and the Social Security numbers of 20 persons. It is believed that financial data were not exposed.
As per the results of the internal investigation of the breach, there was no proof that indicate the access, viewing or misuse of PHI by the attacker.
Network180 claim to be using safety measures for protecting the PHI of patients. However, the attacker was able to bypass the security controls. The IT department, HIPAA Security Officer, HIPAA Privacy Officer and Network180’s HIPAA legal adviser conducted an internal investigation and determined that it was not possible to avoid the attack.
As a response to the breach, all passwords were reset to block unauthorized access. More safeguards were implemented to enhance email security.
Although the risk of PHI access/theft is minimal, as a safety precaution, Network180 offered all patients affected by the breach at least one year of free identity theft protection services via Experian.