Email Accounts Compromised at Children’s Minnesota and the LA County Dept. of Mental Health
Email security breaches have been reported by Children’s Healthcare in Minnesota and the Los Angeles County Department of Mental Health that exposed patient information.
Children’s Health Care, Minnesota
Children’s Health Care, a children’s hospital in Minneapolis, MN, has discovered that patients’ protected health information has been exposed in an email security incident that was detected on March 13, 2024. Suspicious activity was identified in its email system and the forensic investigation confirmed that there had been unauthorized access to two employee email accounts between February 29, 2024, and March 25, 2024. The review of the emails and attachments is ongoing; however, it has been determined that patient information related to the surgical services department was stored in those accounts.
The information potentially compromised in the attack included names, addresses, dates of birth, insurance carrier names, medical record numbers, provider names, treatment cost information, and/or limited treatment information related to care received at Children’s Minnesota. The compromised accounts did not contain any financial account, credit card information, or Social Security numbers. While patient data has been exposed, Children’s Minnesota is unaware of any misuse of that information.
The breach has recently been reported to the HHS’ Office for Civil Rights as affecting 7,260 patients. Those patients will be notified by mail in the coming weeks. Children’s Minnesota already provides cybersecurity and privacy training to its workforce and will continue to do so and will be implementing additional safeguards to improve email security.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
LA County Department of Mental Health, California
The LA County Department of Mental Health has fallen victim to a phishing attack that resulted in unauthorized access to an employee’s email account and the protected health information of 1,598 patients. The attack occurred on March 20, 2024, via a compromised employee email account at an unnamed external entity. The attacker used the account to send a phishing email to an employee of the department, who responded believing the email to be genuine and disclosed their account credentials.
The account review confirmed that names, addresses, telephone numbers, dates of birth, medical record numbers, and Social Security numbers were potentially compromised. The Department said it had extensive measures in place to protect against this type of attack but those safeguards were circumvented due to the exploitation of a vulnerability in Microsoft’s Office 365 multifactor authentication.
After disabling the affected accounts, the Office 365 and multifactor authentication credentials were reset, and security policies, procedures, and controls have been reviewed and updated. The Department has notified Microsoft about the vulnerability and has implemented additional controls to better protect against these types of attacks in the future. The review was completed on May 16, 2024, and individual notifications were mailed on May 20, 2024.
