CCRM Dallas Fort Worth and Ramsey County Social Services Breaches Potentially Exposed 1,600+ Patients’ PHI

An unauthorized person accessed the email account of a nurse at CCRM Dallas Fort Worth. CCRM discovered the breach on October 4, 2018, following the report of patients receiving spam emails originating from the nurse’s email account.

CCRM Dallas-Fort Worth immediately deactivated the compromised email account and its IT vendor started to investigate the incident. The investigators confirmed the unauthorized access of the emails that contain the protected health information (PHI) of patients, which the hackers potentially viewed.

The email account had a variety of patient information including names, email addresses, addresses, health insurance information, healthcare histories and health information. Some patients’ driver’s license numbers and Social Security numbers were also included. But there is no report received of the patients’ PHI being misused.

CCRM Dallas-Fort Worth submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights. The incident was posted on the OCR breach portal indicating 1,117 patients were affected. Patients also received notification via mail on December 3, 2018.

A phishing attack on Ramsey County Social Services in St. Paul, MN on August 9, 2018 affected 28 employees’ email accounts. The attackers accessed the email accounts and attempted to reroute the salaries of the employees. Quick action was undertaken to stop the phishing attack and safeguard the email accounts. A data security agency conducted a complete investigation of the phishing attack.

The data security agency told Ramsey County Social Services on October 12, 2018 the possibility that the hackers viewed email messages with PHI of about 500 patients who mostly availed mental healthcare and chemical services.

The accounts included these types of data: patients’ names, addresses, birth dates, Social Security numbers, and a number of medical information. Patients affected by the incident received notification letters in early December. But so far, there is no report received indicating the misuse of PHI.

To better protect the email accounts of employees, Ramsey County Social Services enforced the usage of multi-factor authentication and strong passwords. New security software was also set up to enable Ramsey County Social Services to keep track of unauthorized access of email accounts. Employees also received additional training.