HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Oakland Family Services Phishing Attack Claims 16K Victims

Oakland Family Services, a community outreach organization based in Pontiac, MI, has alerted 16,000 of its patients that some of their Protected Health Information was compromised in an email phishing attack that took place on July 14, 2015.

By responding to an apparently legitimate request for information, an employee inadvertently gave the hacker access to data contained in a single email account. The electronic medical record databases were not accessed during the security breach.

A press release issued by Oakland Family Services explained that no financial information was exposed in the security breach, although it is possible that patient names, medical ID numbers, service dates and details of the services provided were all potentially accessed.

Some emails contained more detailed information on patients, which included health insurance and health plan ID numbers, contact telephone numbers, home addresses, dates of birth, and medical diagnoses. A total of 173 Social Security numbers were also exposed.

The data related to patients who had visited Oakland Family Services for medical treatment between April 2007 and July 2015. Individuals who had their Social Security numbers exposed are being offered a year of free credit monitoring services through Experian.

Fortunately, the healthcare provider discovered the breach on the same day that it occurred; however, even though access to the email account was gained for only a short period of time, sensitive information contained in the emails was potentially viewed and copied.

The perpetrator managed to gain access to the email account for a few minutes; however in that time the individual managed to send further phishing emails to all of the user’s email contacts. OFS pointed out in the press release that no patients were sent a phishing email through the employee’s account.

A spokeswoman for OFS said “We took action within 15 minutes of the intruder gaining access to block him or her from the affected email account, and based on this incident, even stronger email protocol has been implemented.” She went on to say, “We feel reassured by the fact it doesn’t appear the person gained access in search of PHI, but simply to perpetuate the phishing scheme, based on the amount of time the hacker spent in the account and the actions we know he or she took.”

The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to issue breach notification letters to patients that have had their PHI exposed to unauthorized individuals. The covered entity must also issue a breach notice to the Department of Health and Human Services’ Office for Civil Rights.

When a data breach affects more than 500 individuals, the covered entity has 60 days from the discovery of the security breach to complete these actions. A notice must also be issued to the media during the same timeframe.

OFS completed these actions ahead of the 60-day deadline, although it took some time to check all of the emails in the account. Staff were required to open and check approximately 60,000 emails to determine the data that had been exposed, and the patients that had been affected.

President and CEO of Oakland Family Services, Jamie Clayton, said the Office for Civil Rights will be investigating the breach, and will be visiting the organization in this regard.

Organizations that suffer a data breach will not necessary be penalized by the OCR. Recently, Deven McGraw, the OCR’s Deputy Director for Health Information Privacy, explained that data breaches are now an inevitability, and said “It is not possible to get down to zero risk.” That said, the agency has “an expectation that people put reasonable safeguards in place,” to protect patient health data.

Oakland Family Services Director of Information Technology, David Partlo, said “Oakland Family Services maintains an extensive security program to safeguard client’s PHI, which includes annual staff trainings, regular third-party audits of our security protocol, mandatory use of strong passwords, and much more.”

A number of additional protections have now been put in place to prevent similar incidents from happening in the future. All employees are to receive further training sessions to help them identify future phishing scams, and a “heightened password authentication system” has now been put in place.

A forced email archiving system has also been implemented to limit the damage caused, should hackers manage to break through the organization’s defenses again. As an additional precaution, Oakland Family Services has also switched from Gmail to another email service provider.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.