Kent County Community Mental Health Hit By Phishing Attack

Since late October of 2018, Kent County Community Mental Health Authority is being attacked by a massive number of phishing messages. Their database administrator issued a notice in compliance with HIPAA, reporting to the HHS about the exposure of information of 2,284 patients.

“We are posting this notice as part of our serious commitment to privacy. We regret to inform the public that Network180 has discovered a potential breach of protected health information related to over 2,200 of our clients. Despite safeguards in place, bad-actors gained access to Network180 encrypted email accounts through a “phishing” scheme. On October 28, 2018, Network180 received a series of well-disguised e-mails that appeared to come from a trusted source,” explained by the HIPAA notice.

Ken County Community Mental Health Authority also revealed the exact categories of patient data affected by the phishing attacks:

• Full Name(s)
• Social Security Numbers (only 20 clients were determined to have SSNs exposed)
• Addresse(s) (current or previous)
• Date of birth
• Medicaid ID number
• Medicare ID number
• Network180 internal ID number
• Waiver Support Application (WSA) ID number
• Name(s) of one or more of a client’s health care providers
• School(s) attending or attended
• Information on ethnicity/race
• Names of a relative or relatives

With the initial feedback from the investigation conducted, three employees of the hospital replied with the phishing emails. These events released their information, including their login credentials, enabling 3rd parties to have access to patients data. A team composed of the hospital’s IT team, HIPAA Security Officer, Network180’s legal team and HIPAA Privacy Officer are in the case to further reproduce the story.

“We have concluded our investigation and determined that the inappropriate disclosure was not preventable, have taken remedial steps (such as mass password resets and making sure that no other email accounts were affected), and are putting in place additional safeguards to protect against further ‘phishing’ attacks. We do not have any information that would suggest that any of our clients’ identity is at risk of theft, nor do we think the type of data potentially accessed is likely to make them vulnerable to identity theft. However, out of an abundance of caution and goodwill, and as an apology for this unfortunate situation, we offered at least one year of free identity protection services through Experian to identified clients,” said by Kent County Community Mental Health Authority representative.

All users of email need to practice safe computing habits in order not to fall for scams like phishing. Pay special attention to email security, since it is one of the most used tools to carry out scams, introduce viruses, etc. Below instructions are highly recommended:

• Do not open email messages from unknown senders.
• Beware of those emails in which banks, auction companies or online sales sites request passwords, confidential information, etc.
• Do not spread those emails with dubious content and ask you to be forwarded to all your contacts. This type of messages, known as hoaxes, pretend to warn of the appearance of new viruses, transmit urban legends or messages of solidarity, disseminate shocking news, etc. These chains of emails are usually created with the aim of capturing the email addresses of users who will later be sent messages with viruses, phishing or all kinds of spam.
• Use some type of Anti-Spam software to protect your email account from unwanted messages.