Cybersecurity, Mental Health and HIPAA

All is well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, the residents and families may need to use county resources every now and again. These various services are readily available. In the Grand Rapids, MI area there is an agency providing mental health services. The services are provided by the Kent County Community Mental Health Authority. The organization is also known as Network 180.

Attack Method

The system was breached on October 28, 2018. The breach was open for approximately 9 days. The county agency was targeted for a phishing campaign. This has been seen in abundant numbers over the last few years as more phishers come online, and users continue to be click-happy. The phishing emails were above average in composition and form, as these were created from a legitimate source. Three employees, lured by the emails, clicked the link or attachment.

Once detected, there was a full investigation. The investigation was managed by the HIPAA Privacy Officer, HIPAA Security Officer, IT Department, and HIPAA Legal Counsel. The issue was reported to HHS. The investigating team, through their efforts, could not definitely state whether the data was viewed or accessed.

Data

The attackers focused on data and other valuable points in the system. With this attack, the subject data was encrypted email accounts (names, addresses, dates of birth, Medicaid, and Medicare ID numbers, Network 180 internal ID numbers, waiver support application ID numbers, provider names, schools attending or attended, demographic data, names of the patient’s relatives, ethnicity or race, and patient’s health care provider(s). For approximately 20 of the 2284 patients, the social security numbers were also compromised.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Remediation

The successful attack required a mass password reset. The organization also needed to update their cybersecurity measures.

Resources

Davis, J. (2019, January 10). Phishing attack hits kent county community mental health. Retrieved from https://healthitsecurity.com/news/phishing-attack-hits-kent-county-community-health

Dissent. (2019, January 8). MI: Kent county community mental health authority notifies 2,284 patients after phishing attack. Retrieved from https://www.databreaches.net/mi-kent-county-community-mental-health-authority-notifies-2284-patients-after-phishing-attack/

Hackbusters. (2019, January). Phishing attacks at mental health organization affects 2284 clients. Retrieved from http://www.hackbusters.com/news/stories/4248385-phishing-attacks-at-mental-health-organization-affects-2284-clients-health-data-management

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Featured Posts
Posts Are Coming Soon
Stay tuned...
Recent Posts
Archive
Search By Tags
No tags yet.
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square