Phishing Attack on Kent County Community Mental Health Authority Exposed Patient PHI

A targeted phishing attack on Kent County Community Mental Health Authority, dba Network180, began on October 28, 2018.

Just like most advanced phishing attacks, the attacker made it seem that the phishing emails had been sent from a trustworthy source. From November 2 to November 13, three employees were tricked into responding to the emails and revealed their account credentials to the attacker, who used the credentials to access the email accounts.

One of the three compromised email accounts contained the protected health information (PHI) of Network180 patients. A broad range of PHI was present in the emails in the account.

The kinds of information that the attacker could have accessed differed from one patient to another, but might have included names, dates of birth, addresses, Internal ID numbers, Medicaid/Medicare ID numbers, names of healthcare providers, Waiver Support Application (WSA) numbers, schools that were attended, ethnicity/race, names of relatives and the Social Security numbers of 20 patients. Financial data is not believed to have been compromised.

As per the results of the internal investigation of the breach, no proof was found to indicate the accessing, viewing or misuse of PHI by the attacker.

Network180 had implemented measures to prevent successful phishing attacks, although the attacker was able to bypass those defenses. The IT department, HIPAA Security Officer, HIPAA Privacy Officer and Network180’s HIPAA legal adviser conducted an internal investigation and determined that it was not possible to avoid the attack.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

In response to the breach, all passwords were reset to block unauthorized access. Additional safeguards have also been implemented to enhance email security.

Although the risk of PHI access/theft is believed to be minimal, as a safety precaution, Network180 has offered all patients affected by the breach one year of free identity theft protection services via Experian.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/