1,790 Patients Impacted by Phishing Attack on Los Angeles Drug and Alcohol Treatment Center

The West Los Angeles-based drug and alcohol treatment center, Authentic Recovery Center, is alerting 1,790 individuals that some of their personally identifiable information (PII) and protected health information (PHI) has potentially been obtained by an unauthorized individual as a result of a phishing attack.

The phishing attack was discovered on June 21, 2018 prompting a full investigation. The investigation confirmed that the breach was limited to a single email account. All other email accounts and systems remained secure at all times.

Access was first gained the email account on June 7, 2018 and continued until the breach was detected on June 21 and the account was secured.

An email-by-email analysis of the compromised account revealed it contained the PII and PHI of clients and employees. Employee information accessible through the account was limited to name and driver’s license number, with the exception of two individuals who also had their address, contact telephone number, date of birth, and Social Security number exposed.

Clients impacted by the incident had their name exposed, the fact that they were clients of Authentic Recovery Center, and a limited amount of clinical information. Only one individual had payment card information exposed.

While the account was accessed, no evidence has been uncovered to suggest any information was obtained or misused by the attacker.

For the majority of individuals impacted by the breach, the risk of identity theft and fraud is low due to the types of information that were exposed. Out of an abundance of caution, all individuals affected by the breach have been offered complimentary credit monitoring services for 12 months. It was also recommended that impacted individuals check their credit reports for any sign of fraudulent activity.

The breach has prompted Authentic Recover Center to implement further controls to secure its email accounts and employees have been provided with further training about how they can secure information systems.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.