35,800 Patients of The Otis R. Bowen Center for Human Services Notified About Email Security Breach

The Otis R. Bowen Center for Human Services, an Indiana-based provider of mental health and addiction recovery healthcare services, has announced that unauthorized individuals have gained access to the email accounts of two of its employees.

It is unclear when the email account breaches occurred and for how long unauthorized individuals had access to the email accounts. In its website substitute breach notification, The Otis R. Bowen Center said an independent digital forensic investigation revealed on January 28, 2020 that PHI had potentially been accessed as a result of the attack. The review of the accounts has now been completed to determine which patients have been affected and those individuals have been individually notified by main. No mention was made about the types of information that were potentially compromised.

The Otis R. Bowen Center said the investigation did not uncover any evidence to suggest that any PHI had been misused as a result of the breach but, out of an abundance of caution, affected individuals have been offered complimentary membership to credit monitoring and identity theft protection services through Kroll.

In response to the breach, The Otis R. Bowen Center has taken steps to improve email and network security and is working closely with leading cybersecurity experts to improve the security of its digital environment.

The Department of Health and Human Services’ breach portal indicates the compromised email accounts contained the protected health information of 35,804 patients.

Phishing Attack Reported by University of Minnesota Physicians

University of Minnesota Physicians has discovered two employee email accounts have been compromised as a result of responses to phishing emails. In each case, the phishing attacks were detected shortly after the email accounts were compromised and action was taken on January 31, 2020 and February 4, 2020 to secure the accounts.

An unauthorized individual had access to one account for less than two days, and the second account was accessible only for a few hours.

A comprehensive investigation was conducted by third-party computer forensics experts, but it was not possible to determine if any emails in the accounts were viewed or copied by the attackers.  A review of the email accounts was conducted by third-party specialists who determined the email accounts contained patient names, telephone numbers, addresses, dates of birth, demographic information (race, gender, ethnicity), Social Security numbers, insurance ID numbers, location of treatment, provider names, limited medical history information, and case numbers.

UMPhysicians started sending notification letters to affected individuals on March 30, 2020 and is offering complimentary membership to credit monitoring and identity theft protection services through Kroll for 12 months.

UMPhysicians said multiple email security controls were in place at the time the email accounts were attacked, including multi-factor authentication. Employees had also been provided with security awareness training and phishing simulation exercises are regularly conducted.

Refresher training has now been provided to employees and UMPhysicians is looking into measures that can be implemented to further improve email security.

The OCR breach portal indicates 683 patients were affected by the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.