- Kent County Community Mental Health Authority is notifying 2,284 patients that their data was potentially breached after several phishing attacks.
According to officials, three employees fell victim to targeted phishing campaigns on October 28. The provider received a series of “well-disguised emails” that appeared to be sent from a trusted source. Over the course of 9 days in November, officials were able to determine three email accounts were hacked.
Upon discovery, the provider launched an investigation led by its HIPAA privacy officer, HIPAA security officer, IT department, and HIPAA legal counsel.
Protected health data was contained in the encrypted email accounts, including names, addresses, dates of birth, Medicaid and Medicare ID numbers, waiver support application ID numbers, provider names, schools attending or attended, demographic data, and the names of relatives. About 20 patients saw their Social Security numbers compromised.
The investigation could not rule out whether the hacker accessed or view the data contained in the compromised emails. Officials stressed that there’s no evidence that financial data was exposed, accessed, or viewed.
Further, officials determined that “inappropriate disclosure was not preventable.” The notification did not explained that conclusion. The provider has since performed a mass password reset and ensured no other accounts were impacted. Further, they’re implementing additional safeguards to prevent future phishing attacks.
Theft of Unencrypted Laptop Behind Solis Mammography Breach
Solis Mammography is notifying about 500 patients after the theft of an unencrypted laptop from its Phoenix, Arizona clinic.
Officials discovered the theft on October 18 and notified law enforcement. The investigation determined some patient information was downloaded to the device. And as the device has not yet been recovered, it’s impossible to establish just what data was exposed.
Attempts have been made to reconstruct the data stored on the laptop with the help of a third-party computer forensics firm. Officials said it’s likely the data contained patient names, birth dates, health insurance data, lab results, medical images, and other personally identifiable information.
Officials don’t believe financial data was stored on the computer. Further, the notification does not explain why the data on the laptop was not encrypted.
Solis Mammography has since strengthened its access controls, and officials are reviewing policies around the secure disposal of patient data.