Targeted Phishing Attack Against Employees of Kent County Mental Health

2019, Breaches, January

Who: Kent County Community Mental Health Authority # of Accounts

# of Accounts Breached: 2,284

What was affected: Personally Identifiable Information, Names of Medical Providers, Medical #’s, Schools, Ethnicity, Relatives.

When it happened: October 28, 2018

How it happened: Despite safeguards in place, bad-actors gained access to Network180 encrypted e-mail accounts through a “phishing” scheme. On October 28, 2018, Network180 received a series of well-disguised e-mails that appeared to come from a trusted source. Between November 2 through November 13 we determined that three (3) staff members had their encrypted email accounts compromised after receiving the fake emails.

Outcome: Upon learning of this privacy concern, Network180 launched an internal investigation regarding the matter. The investigation was conducted by Network180’s HIPAA Privacy Officer, HIPAA Security Officer, IT Department, and HIPAA legal counsel. We have concluded our investigation and determined that the inappropriate disclosure was not preventable, have taken remedial steps (such as mass password resets and making sure that no other email accounts were affected), and are putting in place additional safeguards to protect against further “phishing” attacks.