Ramsey County has dramatically increased the number of individuals thought to be affected by an August 2018 data breach from 600 to 118,000 individuals.
Ramsey County initially submitted a breach report to the HHS’ Office for Civil rights indicating that 26 employee email accounts had been accessed by an unauthorized individual, compromising the protected health information (PHI) of 599 individuals. That figure has now been updated to 117,905 patients.
The attack occurred on August 9, 2019. Ramsey County quickly spotted the suspicious activity on the email account and took steps to revoke unauthorized access. Investigators determined that the hacker’s primary motivation was to redirect employees’ paychecks and not to access patient information.
Ramsey Country’s original investigation concluded on October 12, 2018. With the assistance of third-party cybersecurity researchers, they determined that hackers would have been able to access sensitive information contained in the compromised accounts.
The accounts were discovered to contain clients’ names, addresses, dates of birth, Social Security numbers, and limited medical information.
Ramsey County reported the breach to the HHS’ Office for Civil Rights on December 11, 2018, and sent breach notification letters to the 600 individuals thought initially to the only patients affected.
In May 2019, County officials learned that the email accounts of two of the 26 employees contained ‘limited amounts’ of health information related to services provided to the Minnesota Department of Human Services under the Child & Teen Checkups program and the support provided to the St. Paul-Ramsey County Public Health Department.
The information contained in those accounts includes names, addresses, dates of birth, patient identifiers, appointment dates, appointment types, patient master index numbers, household identification numbers, and the names of patients’ representatives. Social Security numbers, diagnoses, treatment and prescription information were not exposed.
Ramsey Country could not find any evidence to suggest that the hacker has used the data for identity fraud.
Ramsey County had issued an update about the breach on July 1, 2019, stating a further 4,638 individuals had been affected and 3,272 additional notifications were sent. Ramsey County has said that in total, 116,255 breach notification letters have now been sent.
Under HIPAA, covered entities are required to notify OCR of a breach within 60 days of discovery. If the number of affected individuals is not known at the time, a provisional total can be provided. The breach report can then be updated when further information becomes available.
Breach investigations can take some time to complete as it is often difficult to identify all of the individuals affected by a particular incident.
In the case of Ramsey County, the investigation was complicated as several of the employees whose email accounts were compromised provided services to multiple departments within the County. Ramsey County said that made it difficult to evaluate all the information in the compromised accounts fully.