Phishing Incidents Reported by Fraser and East Central Indiana School Trust

East Central Indiana School Trust (ECIST) has started notifying more than 3,200 individuals that some of their protected health information (PHI) has been exposed as a result of a recent phishing attack.

On May 19, 2019, an employee was fooled into disclosing email account credentials which were used by the attacker to gain access to that individual’s email account. The breach was detected on May 22, 2019 and the account was secured.

A third-party computer forensics company was retained to investigate the breach and determine whether patient information was compromised or stolen in the attack. The forensics firm did not uncover any evidence to suggest emails in the account were opened or downloaded by the attacker, but the possibility of unauthorized data access and theft could not be ruled out.

The compromised email account contained information such as employees’ and dependents’ names, dates of birth, Social Security numbers, driver’s license numbers, prescription details, health insurance information, and some medical information.

The breach has been reported to the HHS’ Office for Civil Rights as potentially impacting up to 3,259 trust members’ employees and their dependents.

PHI Exposed in Fraser Phishing Attack

Fraser, a Minnesota-based provider of autism and early childhood mental health services, experienced a phishing attack on August 6, 2019 involving a single employee’s email account.

The attack was identified promptly and the compromised email account was secured within a few hours. Fraser launched an investigation into the breach and, assisted by its IT vendors, determined that the attacker potentially accessed client information.

The compromised email account contained a Fraser waitlist spreadsheet that detailed clients’ names, internal ID numbers, home cities, ZIP codes, notes about scheduling preferences, and details of the services for which clients were being referred.

Fraser is reviewing and updating its procedures for the internal exchange of client information and its systems will continued to be monitored closely to ensure that its security systems are working correctly.

The HHS’ Office for Civil Rights breach portal indicates 2,890 individuals have potentially been affected by the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.