On October 28, 2018, a cyber attacker initiated a targeted phishing attack on Kent County Community Mental Health Authority, dba Network180. The employees were not able to identify the phishing emails sent to them because they seemed to come from a reputable source. In the period covering November 2 to 13, three employees responded to the emails and inadvertently revealed their account details to the attacker. The unauthorized individual was then able to access the employees’ encrypted email accounts.
The protected health information (PHI) of Network180 patients were found in one of the compromised email accounts. A broad range of PHI were included in the email messages that the attacker could have accessed. Though information differed from patient to patient, the exposed information may have included names, birth dates, addresses, schools that were attended, names of relatives, Internal ID numbers, names of healthcare providers, Medicaid/Medicare ID numbers, Waiver Support Application (WSA) numbers, ethnicity/race and the Social Security numbers of 20 persons. Network180 believes there were no financial data exposed.
The incident was investigated, but there was no evidence found by the investigators that the attacker accessed or misused any PHI. Network180 remarked that the organization uses safety procedures to safeguard the patients’ PHI. Nonetheless, the security controls were not enough to stop the attacker from accessing its systems. Network180’s IT department, HIPAA Security Officer, HIPAA Privacy Officer and HIPAA legal adviser carried out an internal investigation and established that the attack was impossible to avoid.
So as to prevent future breaches, resetting of passwords was done to block unauthorized access. Additional safety measures were employed to strengthen email security.
Though it is deemed that there’s only minimal risk of PHI access/theft, Network180 still offered all affected patients one year of free identity theft protection services through Experian as a safety measure.