Mille Lacs Health System Phishing Attack Impacts 10,600 Patients
Onamia, MN-based Mille Lacs Health System has experienced a phishing attack that exposed the protected health information of more than 10,000 patients.
Phishing emails were sent to some of its employees containing links that directed them to a website that requested their email credentials. A small number of employees were fooled by the scam.
Mille Lacs Health System learned about the phishing attack on November 14, 2020 and launched an investigation to determine the extent of the breach. On February 24, 2020, it was confirmed that the stolen email credentials were used by the attacker to access email accounts between August 26, 2019 and January 7, 2020. A review of the compromised email accounts was completed on April 22, 2020 and confirmed that patient information may have been accessed.
Information potentially compromised includes first and last names, addresses, dates of birth, provider names, dates of service, clinical information, treatment information, procedure types, and for certain individuals, Social Security numbers. No evidence was found to suggest patient information was obtained or misused by the attackers.
All accounts have been secured, a full password reset was performed for all email accounts, and additional measures have been implemented to strengthen email security. Affected individuals were notified about the breach by mail on May 11, 2020 and have been offered complimentary credit monitoring services.
The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 10,630 patients were affected by the breach.
North Shore Pain Management Experiences Ransomware Attack
North Shore Pain Management in Massachusetts has experienced a manual AKO ransomware attack and the data of some of its patients was stolen.
The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal and, at the time of writing, there is no substitute breach notice on the company’s website. The breach was covered on databreaches.net, which reports that approximately 4GB of data relating to the company has been published on the Tor site used by the attackers. More than 4,000 files containing patient and employee information has been dumped online.
The files contained a range of sensitive protected health information including Social Security numbers, health information, and insurance information.
PsyGenics Employee Emailed Client Information to Personal Email Account
The Detroit-based occupational therapy, speech therapy, and family therapy provider, PsyGenics, Inc., has discovered one of its employees forwarded a spreadsheet containing customer information to a personal email account. The breach was detected on March 25, 2020 as part of a regular security review. The email was sent on March 24, 2020.
The spreadsheet contained information such as customers’ names, diagnosis codes, provider names, and appointment times. No other information such as treatment notes were detailed in the spreadsheet. No reason was given as to why the employee sent the spreadsheet to their personal email account. PsyGenics says it found no evidence of attempted or actual misuse of client information.