Portland, Ore.-based Native American Rehabilitation Association of the Northwest began notifying patients Jan. 3 that their information may have been exposed in a data breach.
In November, the healthcare provider discovered that a limited number of staff had fallen victim to a phishing attack. The phishing emails contained the computer malware known as Emotet. The U.S. Department of Homeland Security notes that Emotet is a costly and destructive malware that has affected state, local and tribal governments as well as organizations in the private sector.
After an investigation, NARA determined that 344 current or former patients had their electronic records accessed without authorization or were at a greater risk of unauthorized access. Additionally, according to the Office for Civil Rights, 25,187 patients may have been affected.
Patient data that may have been exposed included names, addresses, dates of birth, Social Security numbers and medical record numbers. In some instances, clinical information, such as diagnoses, services or treatments, may have also been affected.
Since the phishing attack, NARA was able to remove the malware, restrict unauthorized access and had staff reset their passwords. Additional endpoint protections have also been installed to monitor for suspicious activity on computers.