Ramsey County has revealed that a phishing attack that took place in August 2018 impacted a great many more individuals than first thought. The victim count has been revised to 117,905 from 599.
The original breach report stated the email accounts of 26 staff members were compromised in a phishing attack that took place around August 9, 2018. The attack was identified quickly and the affected accounts were locked down. The individuals responsible carried out the attack in order to re-route estaff members’ paychecks.
The initial investigation, completed with the help of an external data security firm, concluded on October 12, 2018 that the attackers would have been able to view sensitive information contained in the compromised accounts. The accounts were found to contain clients’ names, addresses, dates of birth, Social Security numbers, and limited medical data.
Ramsey County submitted a breach report to the HHS’ Office for Civil Rights on December 11, 2018 and alerted impacted clients. The initial breach report stated that 599 clients had been affected. 9 months on and Ramsey County has announced that 117,905 individuals have had their personal and health data accessed.
On or around May 21, 2019, County officials discovered that the email accounts of two of the 26 employees included ‘limited amounts’ of health information related to services provided to the Minnesota Department of Human Services under the Child & Teen Checkups program and the support made available to the St. Paul-Ramsey County Public Health Department.
The information included in those accounts includes names, addresses, dates of birth, patient identifiers, appointment dates, appointment types, patient master index numbers, household identification details, and the names of patients’ representatives. Social Security numbers, diagnoses, treatment and prescription details were not exposed. No proof of data theft was uncovered, and no reports have been received suggesting there has been any misuse of patient data.
Ramsey County had released an update about the breach on July 1, 2019 stating an additional 4,638 individuals had been impacted and 3,272 additional notifications were sent. Ramsey County has said that in total, 116,255 breach notification letters have now been broadcast.
Under HIPAA, covered outfits must notify OCR of a breach within 60 days of discovery. If the number of impacted individuals is not known at the time, a provisional total can be given The breach report can then be updated when further information becomes is found.
Breach investigations can take some time to finish, as the extent of a cyberattack may not initially be known. Investigations can take many months to finish. On this occasion, the investigation was complicated as many of the employees whose email accounts were compromised provided services to different departments within the County. Ramsey County said that made it difficult to fully estimate all the data in the impacted accounts.