Ramsey County Expands 2018 Phishing Attack Victim Count from 599 to 117,905

Ramsey County has discovered an August 2018 phishing attack has impacted far more individuals than initially thought. The victim count has been increased from 599 to 117,905.

The initial breach report stated the email accounts of 26 employees were compromised in a phishing attack on or around August 9. The attack was identified promptly and the affected accounts were secured. The individuals responsible conducted the attack in order to re-route employees’ paychecks.

The initial investigation, conducted with assistance from a data security firm, concluded on October 12, 2018 that the attackers would have been able to access sensitive information contained in the compromised accounts. The accounts were discovered to contain clients’ names, addresses, dates of birth, Social Security numbers, and limited medical information.

Ramsey County reported the breach to the HHS’ Office for Civil Rights on December 11, 2018 and notified affected clients. The initial breach report indicated 599 clients had been affected. 9 months on and Ramsey County has announced that 117,905 individuals have had their personal and health data exposed.

On or around May 21, 2019, County officials learned that the email accounts of two of the 26 employees contained ‘limited amounts’ of health information related to services provided to the Minnesota Department of Human Services under the Child & Teen Checkups program and the support provided to the St. Paul-Ramsey County Public Health Department.

The information contained in those accounts includes names, addresses, dates of birth, patient identifiers, appointment dates, appointment types, patient master index numbers, household identification numbers, and the names of patients’ representatives. Social Security numbers, diagnoses, treatment and prescription information were not exposed. No evidence of data theft was uncovered, and no reports have been received indicating there has been any misuse of patient information.

Ramsey County had issued an update about the breach on July 1, 2019 stating a further 4,638 individuals had been affected and 3,272 additional notifications were sent. Ramsey County has said that in total, 116,255 breach notification letters have now been sent.

Under HIPAA, covered entities are required to notify OCR of a breach within 60 days of discovery. If the number of affected individuals is not known at the time, a provisional total can be provided. The breach report can then be updated when further information becomes available.

Breach investigations can take some time to complete, as the extent of a cyberattack may not initially be apparent. Investigations can take several months to complete. In this case, the investigation was complicated as several of the employees whose email accounts were compromised provided services to multiple departments within the County. Ramsey County said that made it difficult to fully evaluate all the information in the compromised accounts.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.