An unauthorised individual has compromised the PHI of over 2,200 patients after gaining access to Harbor Behavioural Health’s network.
Harbor Behavioural Health (HBH) is a network of counselling and mental health treatment centres based northwestern Ohio. HBH discovered that an unauthorised individual had used an employee’s email account to gain access to their network, which contained patient PHI. The discovery was made on February 13, 2019.
HBH contracted a third-party computer forensics firm to assist in the breach investigation. HBH’s investigators determined that the unauthorised individual had access to the account for three months between December 2018 and February 2019. They discovered another compromised email account during the investigation and attributed that breach to the same unauthorised individual.
HBH immediately took action to secure both accounts and terminate the unauthorised individual’s access.
Investigators analysed both email accounts to determine what types of PHI the hacker may have accessed. The accounts included patient information such as names, dates of birth, health insurance details, and information related to the services provided by Harbor. A limited number of patients also had their Social Security numbers and driver’s license numbers exposed. In total, the compromised email accounts contained the PHI of 2,290 patients.
Patients who had had their data accessed by unauthorised individuals are at a heightened risk of identity theft and other forms of fraud. To mitigate the risks of data misuse, HBH has offered complimentary credit monitoring and identity theft protection services to all patients whose Social Security number or driver’s license number was exposed.
Harbor has taken action to strengthen access controls to block unauthorised individuals using external IP addresses. They have also increased log reviews and the frequency of automated alerts and has strengthened its security processes.
It is possible that the unauthorised individual compromised the email accounts through a successful phishing campaign. HBH has provided additional training to employees to help them detect and avoid phishing emails.