Phishing attacks at mental health organization affects 2,284 clients

A series of phishing attacks in October 2018 at Kent County Community Mental Health Authority in Grand Rapids, Mich., fooled three employees who clicked on phishing emails.

Now, the organization—better known as Now, Network 180—is notifying 2,284 individuals and offering a year of identity protection services from Experian. The employees, after receiving the fake emails had their email accounts encrypted. Executives of the organization say 12 types of protected health information were affected, but only 20 clients had Social Security numbers exposed.

“We cannot confirm what of this information was actually accessed or viewed by the intruders; we think it is unlikely that it was,” the organization told its clients. “Additionally, we want to emphasize that we do not believe nor see any evidence that would lead us to believe any financial information was exposed, accessed or viewed.”

Also See: Strategies for protecting your data and your people from phishing attacks

Network 180’s investigation of the breach involved its privacy officer, security officer, IT department and HIPAA legal counsel. “We have concluded our investigation and determined that the inappropriate disclosure was not preventable, have taken remedial steps such as mass password resets and making sure no other email accounts were affected, and are putting in place additional safeguards to protect against further phishing attacks.”

Network 180-CROP.jpg

The organization also told affected patients that there is no information suggesting clients are at risk for identity theft or that the type of data potentially accessed would make them vulnerable to identity theft.

However, the organization said that, out of an abundance of caution and goodwill, and as an apology for the situation, the protective services were offered. “We deeply regret that this incident occurred. These situations are inherently difficult/impossible to prevent. Network 180 is committed to keeping recipients’ personal information as protected and safe as possible, and we hope that we have the opportunity to reinforce that commitment to our clients and our community.”

An executive at Network 180 did not return a phone call asking for additional information.

For reprint and licensing requests for this article, click here.