Share this article on:
Metrocare Services, a provider of mental health services in North Texas, has experienced a phishing attack which saw the email accounts of several employees accessed by an unauthorized individual.
The breach was detected on February 6, 2019 and the affected email accounts were rapidly blocked to prevent further access. The investigation revealed the accounts were first compromised in January 2019.
An analysis of the affected accounts revealed they contained the protected health information of 5,290 patients. Patients were notified on April 5, 2019 that the following information could potentially have been accessed as a result of the attack: Name, date of birth, driver’s license information, health insurance information, health information related to the services provided by Metrocare, and for certain patients, Social Security numbers.
The breach investigation did not uncover any evidence to suggest emails containing ePHI had been accessed or copied, but ePHI access and theft could not be ruled out. Individuals whose Social Security number was exposed have been offered free access to identity theft protection and credit monitoring services for 12 months.
In response to the breach, Metrocare Services will be implementing additional security measures and will be strengthening the security of its email system. Multifactor authentication will also be implemented to prevent accounts from being accessed in the event that credentials are compromised in future attacks.
This is not the first phishing attack that Metrocare Services has experienced. Two months previously, in November 2018, the PHI of 1,800 patients was compromised in a similar attack. After that attack Metrocare Services said it was strengthening the security of its email system and had provided additional training to employees to help them identify potential phishing attacks.
Those measures were clearly not sufficient to prevent further attacks. Had multifactor authentication been implemented after the first phishing attack, the second, larger breach could potentially have been prevented.