Up to 25K Patients of the Native American Rehabilitation Association of the Northwest Affected by Malware Attack

Portland, OR-based Native American Rehabilitation Association of the Northwest, Inc., (NARA), a provider of education, physical and mental health services and substance abuse treatment services to native Americans, is alerting certain individuals about a malware infection that has potentially allowed unauthorized individuals to gain access to their protected health information.

NARA reports that the attack occurred on November 4, 2019. The malware initially bypassed security systems but was detected later that afternoon. The threat was contained by November 5, 2019 and all passwords on email accounts were reset by November 6.

The malware was determined to be the Emotet Trojan: A credential stealer that can also exfiltrate emails and email attachments. It is therefore possible that the attackers obtained emails and attachments in the compromised accounts, some of which included protected health information.

According to a NARA press release issued on January 3, 2020, the forensic investigation confirmed that the protected health information of 344 individuals was either accessed by the attackers or there was a high risk of the information being accessed. Another group of patients was also potentially affected. For this group, no evidence of unauthorized access was found.

The types of information contained in the email accounts varied from person to person and may have included names, home addresses, Social Security numbers, birth dates, and medical record or patient ID numbers. A limited number of individuals also had clinical information exposed, including diagnoses, services received, treatment information, and treatment dates.

In total, up to 25,187 individuals may have been affected, according to the HHS’ Office for Civil Rights’ Breach portal.

“It is sad that there are people in the world whose intent is to cause harm and distress to vulnerable populations such as our clients,” said Jacqueline Mercer, CEO of NARA NW. “Words cannot express how truly sorry we are that our clients and NARA NW have been subjected to this malware attack.”

A new endpoint protection solution has now been implemented on all computers which monitors for suspicious activity. Policies and procedures are being reviewed and will be updated as necessary and staff have been provided with further security awareness training.

Mercy Health Lorain Hospital Laboratory Patients Affected by Mailing Error

RCM Enterprise Services, Inc., a provider of patient billing services to Mercy Health Lorain Hospital Laboratory in Ohio, is alerting certain patients about an impermissible disclosure of some of their individually identifiable personal information.

An error was accidentally introduced in the invoice mailing process which allowed Social Security numbers to be viewable through the windows of envelopes used for a medical invoice mailing sent by RCM’s contracted mailing vendor on or around November 7, 2019.

The invoices should only have had name, street address, city, state, and zip code visible. The error resulted in an individual’s name and street address being visible along with that individual’s Social Security number instead of the city and zip code.

“We take this incident, as well as information privacy and security, very seriously, and have enhanced our procedures in order to prevent the occurrence of a similar incident,” said Barbara Shaub, Director, Revenue Cycle Management of RCM.

No reports have been received to suggest there has been any misuse of patient information. As a precaution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. 5,965 individuals have been affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.