Oakland Family Services, a nonprofit human and health services organization based in Pontiac, Mich., is notifying 16,000 patients of a potential data breach after discovering a phishing attack on an employee's email.
On July 14, an unauthorized individual gained access to an employee's email account. Oakland Family Services learned of the attack the same day.
The email account contained protected health information, including names, client ID numbers, services dates and types of service provided. Some emails also included birth dates, telephone numbers, addresses, diagnoses, health plan ID numbers, insurance numbers and Social Security numbers.
The incident affects clients seen between April 2007 and July 2015. The notification indicates 173 clients' Social Security numbers were present in the email account.
According to Oakland Family Services' internal investigation, the hacker had access to the account for 23 minutes. During that time, the hacker sent a phishing email to the employee's email contacts, none of which were clients. The hacker then exited the account. Oakland Family Services has no evidence the hacker downloaded any PHI.
The agency said it immediately terminated the hacker's access to the email account upon learning of the incidence.
"We took action within 15 minutes of the intruder gaining access to block him or her from the affected email account and based on this incident, even stronger email protocol has been implemented," said David Partlo, director of IT at Oakland Family Services. "We feel reassured by the fact it doesn't appear the person gained access in search of PHI, but simply to perpetuate the phishing scheme, based on the amount of time the hacker spent in the account and the actions we know he or she took."
More articles on data breaches:
The OPM and UCLA breaches: 5 lessons learned
Insider data breach: Former CVS employee compromises data on nearly 55k individuals
Are you prepared if the next big HIPAA breach happens to you?