10,600 Patients Affected in Mille Lacs Health System Phishing Attack

The protected health information of more than 10,000 patients has been impacted in a phishing attack no the Onamia, MN-based Mille Lacs Health System

Phishing emails were shared to a number of its employees that included directing them to a website that requested their email details. A small number of employees were tricked by the scam.

Mille Lacs Health System became aware of the phishing attack on November 14, 2020 and began an investigation to ascertain the extent of the breach. On February 24, 2020, it was confirmed that the stolen email credentials were used by the attacker to access email accounts between August 26, 2019 and January 7, 2020. A review of the compromised email accounts was finished on April 22, 2020 and confirmed that patient data may have been accessed.

Information possibly stolen includes first and last names, addresses, dates of birth, provider names, dates of service, clinical information, treatment information, procedure types, and for certain individuals, Social Security numbers.  No proof was found to suggest patient information was obtained or misused by the hackers.

All accounts have been locked down and made safe for use, a full password reset was carried out for all email accounts, and additional measures have been put in place to strengthen email security. Impacted individuals were alerted in relation to the breach by mail on May 11, 2020 and have been provided with free credit monitoring services.

The breach report sent to to the Department of Health and Human Services’ Office for Civil Rights indicates 10,630 patients were impacted by the breach.

Meanwhile, North Shore Pain Management in Massachusetts has suffered a manual AKO ransomware attack and the data of some of its patients was illegally taken.

The incident has not yet been published on the HHS’ Office for Civil Rights breach portal and, at the time of writing, there is no substitute breach notice placed on the company’s website. The breach was covered on databreaches.net, which reports that around 4GB of data relating to the company has been published on the Tor site used by the hackers. More than 4,000 files including patient and employee information has been dumped online.

The files included a variety of sensitive protected health information including Social Security numbers, health information, and insurance details.