A phishing attack at Fraser Autism Center of Excellence has resulted in the protected health information (PHI) of nearly 3,000 individuals being compromised.
Fraser, based in Minnesota, is one of the oldest and largest providers of autism and early childhood mental health services in the state. On August 6, 2019, suspicious activity was noticed on an employee email account. IT staff at the organization promptly took action to secure the email account and revoke unauthorized access.
Fraser quickly launched an investigation to discover the nature of the breach and contracted a third-party cybersecurity firm to assist with determining the scope of the breach.
Investigators determined that only a single email account was affected by the breach. They did not discover any information to suggest that the hacker had used patient information to commit fraud, but determined the hacker could have accessed that patient information stored on the account.
It is suspected that the hacker gained access to the account after the employee replied to a phishing email, thereby allowing the hacker to harvest their login credentials.
The compromised email account contained a Fraser waitlist spreadsheet that detailed clients’ names, internal ID numbers, home cities, ZIP codes, notes about scheduling preferences, and details of the services for which clients were being referred.
In a statement, Fraser declared that it is in the process of reviewing and updating its procedures for the internal exchange of client information. It is continuing to monitor its systems to ensure that its security systems are working correctly.
Following HIPAA’s Breach Notification Rule, Fraser has sent breach notification letters to all affected patients. The letters broadly outlined the breach and informed patients of the precautions that can be taken to reduce the risk of identity fraud.
Fraser also notified HHS’ Office for Civil Rights. OCR’s breach portal indicates that 2,890 individuals have potentially been affected by the breach.