Exposure of Seattle Community Psychiatric Clinic Patient Data Due to Email Security Breaches

A Seattle, WA provider of accredited outpatient, counseling services and mental health treatment, Community Psychiatric Clinic, has encountered two security breaches resulting in the compromise of patient information. In the two instances, an unauthorized person accessed the Microsoft Office 365 account of an employee.

Community Psychiatric Clinic detected the first security breach on March 12, 2019 when there was unauthorized access of an employee’s account. The IT department secured the compromised account immediately, changed the passwords, and restored the employee’s hard drive. The email account likewise got extra protections applied to avoid identical breaches from happening later on. The investigators did not find any evidence to indicate the theft of patient data.

About two months after, another attack on May 8, 2019 was discovered compromising a second email account. The attacker sent a fraudulent wire transfer request to another employee using the compromised email account. The fraudulent transfer was completed, but all the funds were recovered thanks to the quick response of the clinic. The account password was reset to block the attackers and more protections were applied on the breached account to minimize the threat of further attacks. Once again, there was no evidence found that indicate the theft of patient information.

According to a forensic investigation, besides the two accounts mentioned above, there were two more accounts compromised. The investigators noted that the attackers got access to the mailboxes via Outlook Web Access, thus it considerably decreased the possibility for mass data exfiltration. There is no evidence of data exfiltration, which means that the attackers were not successful in getting patient data. Nevertheless, patients were sent notification as a safety precaution.

The breaches have not been posted on the breach portal of the Department of Health and Human Services’ Office for Civil Rights, thus the number of affected patients is not yet certain