Authentic Recovery Center, a West Los Angeles-based drug and alcohol treatment center, is contacting 1,790 clients to inform them that some of their personally identifiable information (PII) and protected health information (PHI) may have been stolen by an unauthorized individual due to a phishing attack.
The phishing attack was identified on June 21, 2018 leading to a full investigation. This revealed that the breach was restricted to a single email account. All other email accounts and systems were unaffected.
Access was first obtained to the email account in question on June 7, 2018 and went on until the breach was finally noticed on June 21 and the account was locked down.
An email-by-email review of the compromised account showed that it contained the PII and PHI of clients and staff members. Employee information accessible via the account was restricted to name and driver’s license number, apart from that of two people who also had their address, contact telephone number, date of birth, and Social Security number stolen.
Clients affected by the incident had their name stolen along with the fact that they were clients of Authentic Recovery Center and a small amount of clinical data. Only one person had payment card information obtained.
While the account was exposed, no proof has been uncovered to indicate any information was obtained or misused by the hacker.
For most of the individuals affected by the breach, the danger of identity theft and fraud is minimal due to the range of information that were accessible. As a precautionary measure, all those affected by the breach have been provided with free credit monitoring services for one year. It was also recommended that affected people check their credit reports for any proof of fraudulent activity.
The breach has lead to the Authentic Recover Center adapting additional controls to safeguard its email accounts and staff members have been supplied with more training about how they can safeguard data systems.