Kent County Community Mental Health Authority of Michigan, dba as Network180, issued a notice on their site about a HIPAA breach that they reported to HHS as affecting 2,284 patients. Here is the text of their notice:
We are posting this notice as part of our serious commitment to privacy. We regret to inform the public that Network180 has discovered a potential breach of protected health information related to over 2,200 of our clients.
Despite safeguards in place, bad-actors gained access to Network180 encrypted e-mail accounts through a “phishing” scheme. On October 28, 2018, Network180 received a series of well-disguised e-mails that appeared to come from a trusted source. Between November 2 through November 13 we determined that three (3) of our staff members had their encrypted email accounts compromised after receiving the fake emails.
Protected health information contained in at least one of these encrypted email accounts may have included the following categories of exposed information:
• Social Security Numbers (only 20 clients were determined to have SSNs exposed)
• Addresse(s) (current or previous)
• Date of birth
• Medicaid ID number
• Medicare ID number
• Network180 internal ID number
• Waiver Support Application (WSA) ID number
• Name(s) of one or more of a client’s health care providers
• School(s) attending or attended
• Information on ethnicity/race
• Names of a relative or relatives
We cannot confirm what of this information was actually accessed or viewed by the intruder(s). We think it is unlikely that it was. However, since this information was potentially exposed, we want to be sure that the concerned public and community was notified. Additionally, we want to emphasize that we do not believe, nor see any evidence would lead us to believe, any financial information was exposed, accessed, or viewed.
Upon learning of this privacy concern, Network180 launched an internal investigation regarding the matter. The investigation was conducted by Network180’s HIPAA Privacy Officer, HIPAA Security Officer, IT Department, and HIPAA legal counsel. We have concluded our investigation and determined that the inappropriate disclosure was not preventable, have taken remedial steps (such as mass password resets and making sure that no other email accounts were effected), and are putting in place additional safeguards to protect against further “phishing” attacks.
We do not have any information that would suggest that any of our clients’ identity is at risk of theft, nor do we think the type of data potentially accessed is likely to make them vulnerable to identity theft. However, out of an abundance of caution and goodwill, and as an apology for this unfortunate situation, we offered at least one year of free identity protection services through Experian to identified clients.
We deeply regret that this incident occurred. These situations are inherently difficult/impossible to prevent. Network180 is committed to keeping Network180 recipients’ personal information as protected and safe as possible, and we hope that we have the opportunity to reinforce that commitment to our clients and our community.
If you have any concerns or questions about this statement, please do not hesitate to call Network180 Customer Services at (866) 411-0690, or e-mail at customerservices (at) network180 dot org.
I will grant you that these types of incidents are difficult to prevent. But “impossible?”