The Oakland Family Services data breach was caused by an individual employee responding to a phishing email, potentially exposing the PHI of 16,000 patients.
The Department of Health and Human Services’ Office for Civil Rights has been notified of a recent Oakland Family Service data breach that exposed the Protected Health Information (PHI) and Personally Identifiable Information (PII) of up to 16,000 patients. Individuals who visited the healthcare provider for treatment between April 2007 and July 2015 may have been affected.
According to a press release announcing the Oakland Family Services data breach, patient names, service dates, patient ID numbers and the dates that services were provided, were all potentially compromised in the security breach. No financial information was exposed, although 173 patients potentially had their Social Security numbers stolen. Those individuals will be offered credit monitoring services to mitigate the risk of suffering identity theft and fraud. Other data potentially exposed was specific to individual patients, and included home addresses, dates of birth, telephone numbers, medical diagnoses and health plan identification numbers.
Oakland Family Services Data Breach Caused by Employee Responding to Phishing Email
The Pontiac, MI based healthcare provider is the latest (known) victim of a healthcare phishing attack. A single individual received and responded to a phishing email which resulted in access to a single email account being given to the perpetrator. The EHR was not compromised, and all other email accounts remained secure. However, all emails in the compromised account, and patient data contained in those emails, were all potentially accessed.
Due to the nature of the Oakland Family Services data breach it took some time to identify all of the affected individuals. The investigation required approximately 60,000 individual emails to be checked. That investigation has now been completed and all affected individuals will soon receive notification of the breach in the mail.
The incident highlights the difficulty healthcare providers and other HIPAA-covered entities have in keeping PHI secure. In this case, numerous protections were installed to keep the PHI and PII of patients secure, yet these were undone with a single response to an email. A statement released by the healthcare provider’s Director of Information Technology, David Partlo, confirmed that little more could have been done to prevent the Oakland Family Service data breach from occurring. He said, “Oakland Family Services maintains an extensive security program to safeguard client’s PHI, which includes annual staff trainings, regular third-party audits of our security protocol, mandatory use of strong passwords, and much more.”
Fortunately, the company had deployed an intrusion detection system which rapidly identified the compromised account, and access to the emails and (data contained therein) was rapidly shut down. A spokesperson for Oakland Family Services issued a statement saying “We took action within 15 minutes of the intruder gaining access to block him or her from the affected email account, and based on this incident, even stronger email protocol has been implemented.” She also said, “We feel reassured by the fact it doesn’t appear the person gained access in search of PHI, but simply to perpetuate the phishing scheme, based on the amount of time the hacker spent in the account and the actions we know he or she took.”