InterAct of Michigan, a provider of mental health and substance abuse treatments through health centers in Kalamazoo and Grand Rapids, has found an unauthorized person has obtained access to the email account of a staff member and may have viewed and copied the protected health information of 1,290 people.
The attack was noticed on June 8, 2018 leading to a thorough investigation to deduce the nature and scope of the breach. Immediate action was taken to disable access to the compromised account and an internal investigation was initiated. A leading computer forensics company was contracted to provide help with the investigation.
On July 30, 2018, InterAct of Michigan discovered that the protected health information of certain patients had possibly been obtained. The information was noticed in emails and email attachments in the compromised account. The exposed PHI included clients’ names and Social Security numbers. For some individuals, date of birth, prescription details, and treatment history may also have been obtained.
Due to the sensitive nature of the information that was accesseed, all impacted patients have been offered free identity theft protection services for one year.
On August 7, 2018, alerts were sent to affected people and Department of Health and Human Services’ Office for Civil Rights was informed of the breach.
InterAct of Michigan has put additional measures in place to enhance security to stop further breaches and ensure that in the event of a further email account compromise, the breach will be discovered much more quickly.
Email access logs are now being audited on a weekly basis to spot any suspicious behavior and single user inbox rules are similarly being monitored. A procedure has also been set up that stops the forwarding of emails to external email accounts, which suggests such a rule may have been implemented by the individual responsible for this attack.