Ramsey County has learned that the phishing attack on August 2018 has impacted considerably more persons than originally believed. The number of affected individuals went up from 599 to 117,905.
The first breach report mentioned about the compromise of 26 workers’ email accounts in a phishing attack some time in August 9. Ramsey County uncovered the phishing attack quickly and protected the impacted accounts. The intent of the people behind the phishing attack was to re-direct the salaries of employees.
The preliminary investigation, done on October 12, 2018 with a data security company’s help, determined that the attackers may have accessed sensitive data held in the compromised employee accounts. The accounts were determined to hold clients’ names, birth dates, addresses, Social Security numbers, and some health data.
On December 11, 2018, Ramsey County submitted a breach report to the HHS’ Office for Civil Rights and advised impacted customers. The preliminary breach report showed 599 clients were impacted. After 9 months, Ramsey County has stated that the personal and medical information of 117,905 persons were compromised.
Around May 21, 2019, County officers found out that 2 of the 26 personnel’s email accounts have ‘limited amounts’ of medical data connected to services made available to the Minnesota Department of Human Services with the Child & Teen Checkups plan and the help offered to the St. Paul-Ramsey County Public Health Department.
The accounts held data like names, birth dates, addresses, patient identifiers, booking dates, scheduled appointment types, patient master index numbers, the names of patients’ representatives and household identification numbers. There was no Social Security number, medical diagnosis, prescription and treatment data compromised. There was no information about data theft or improper use of patient details.
Ramsey County had published an update concerning the breach on July 1, 2019 mentioning 4,638 persons more were impacted and sent 3,272 further notifications. Ramsey County has mentioned that a total of 116,255 notification letters were already delivered.
The HIPAA mandates covered entities to inform OCR regarding a breach in 60 days from the time of discovery. In case the quantity of impacted persons is unidentified at that moment, a provisional total could be presented. The breach report may be changed when additional detail is available.
It may take several months to finish breach investigations, therefore, the magnitude of a cyberattack might not be obvious at first. In this incident, the investigation was complex since a number of the employees whose email accounts were affected offered services to a number of departments in the County. It was hard to completely assess all the data in the affected accounts.