Otis R. Bowen Center for Human Services Data Breach Impacts up to 35,800 Patients

The Otis R. Bowen Center for Human Services, an Indiana-based supplier of mental health and addiction recovery healthcare services, has revealed that unauthorized actors have obtained access to the email accounts of two of its staff members.

It is not yet known when the email account breaches took place and for how long unauthorized individuals had access to the email accounts. In its website substitute breach alert, The Otis R. Bowen Center confirmed that an independent digital forensic investigation showed on January 28, 2020 that PHI had possibly been accessed as a result of the attack. The review of the accounts has now been finished to determine which patients have been impacted and those individuals have been individually alerted by mail. No reference was made about the types of information that were potentially infiltrated.

The Otis R. Bowen Center said the investigation did not find any proof to indicate that any PHI had been misused as a result of the breach but, out of an abundance of caution, affected individuals have been offered free membership to credit monitoring and identity theft protection services through Kroll.

Reacting to the breach, The Otis R. Bowen Center has taken measures to enhance email and network security and is working with leading cybersecurity experts to improve the security of its digital environment.

The Department of Health and Human Services’ breach portal states that the compromised email accounts contained the protected health information of 35,804 patients.

Meanwhile, University of Minnesota Physicians has discovered two employee email accounts have been infiltrated thanks to of responses to phishing emails. In each instance, the phishing attacks were detected shortly after the email accounts were compromised and action was taken on January 31, 2020 and February 4, 2020 to safeguard the accounts.

An unauthorized person had access to one account for less than two days, and the second account was accessible just for a few hours.

A thorough investigation was completed by third-party computer forensics experts, but it was not possible to determine if any emails in the accounts were seen or copied by the attackers.  A review of the email accounts was conducted by third-party specialists who saw the email accounts contained patient names, telephone numbers, addresses, dates of birth, demographic information (race, gender, ethnicity), Social Security numbers, insurance ID numbers, place of treatment, provider names, limited medical history details, and case numbers.

UMPhysicians started issuing notification letters to affected persons on March 30, 2020 and is offering free membership to credit monitoring and identity theft protection services through Kroll for one year.

UMPhysicians said a number of email security controls were in place at the time the email accounts were attacked, including multi-factor authentication. Employees had also been supplied with security awareness training and phishing simulation exercises are regularly carried out.

Refresher training has now been supplied to staff and UMPhysicians is looking into measures that can be implemented to further enhance email security.

The OCR breach portal states that 683 patients were impacted by the breach.

Author: Maria Perez