John Turk reports:
Pontiac-based OaklandFamily Services, a community outreach organization, is investigating a security breach that could have affected 16,000 clients in the area.
An unknown person gained access to the email account of an employee in July, which resulted in the potential viewing of protected health information.
Read more on Daily Tribune. The full text of the organization’s notice is reproduced below:
Pontiac, Mich. (Sept. 10, 2015) – An unauthorized individual remotely gained access to the email account of an Oakland Family Services employee July 14, 2015 resulting in the potential viewing of protected health information (PHI). However, there was no infiltration of the electronic medical record databases, or any other agency email accounts or databases. The unauthorized access was discovered by Oakland Family Services that same day, when it was determined the employee’s email account was fraudulently accessed as part of a phishing attempt. Phishing is an attempt to acquire sensitive information, such as usernames and passwords, utilizing emails that masquerade as those from a trustworthy entity.
PHI was present in the single staff email account at the time of the breach, including names, internal client ID numbers, dates of service and types of service provided. In limited instances, the emails also included dates of birth, telephone numbers, addresses, diagnoses, health plan ID numbers, insurance numbers and social security numbers. Oakland Family Services is notifying by mail approximately 16,000 clients seen between April 2007 and July 2015 that their PHI was potentially included. Only 173 clients out of the affected clients had a social security number present in this account. For these clients, the agency has engaged Experian, the largest credit bureau in the United States, to offer a year-long membership in a credit monitoring and identity restoration program. No financial information, such as credit card numbers, was present in the staff member’s email account.
“Oakland Family Services does not take lightly the security of its clients’ information,” said President and CEO Jaimie Clayton. “We regret any inconvenience this matter has caused the affected clients and want them to know that the agency is available for any questions they might have.”
An internal investigation has shown that the rogue user had access to the account for 23 minutes, it is believed with the intent of perpetuating a phishing scheme. Following a phishing email sent to the employee’s email contacts, none of which were clients, the hacker exited the account. The breach was detected the same day and Oakland Family Services immediately terminated the hacker’s access to the account. There is no evidence that the unauthorized individual downloaded any PHI.
This has been followed up by an exhaustive internal investigation and reports to governmental entities required by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
“Oakland Family Services maintains an extensive security program to safeguard client’s PHI, which includes annual staff trainings, regular third-party audits of our security protocol, mandatory use of strong passwords, and much more,” said David Partlo, Oakland Family Services Director of Information Technology. “We took action within 15 minutes of the intruder gaining access to block him or her from the affected email account and based on this incident, even stronger email protocol has been implemented. We feel reassured by the fact it doesn’t appear the person gained access in search of PHI, but simply to perpetuate the phishing scheme, based on the amount of time the hacker spent in the account and the actions we know he or she took.”
Impacted individuals have been sent a letter providing them with information regarding the incident, as well as a toll-free number to call if they have additional questions. If an individual was a client of Oakland Family Services between April 2007 and July 2015 but did not receive a letter, it may be because the agency did not have a current home address. These individuals should feel free to call (855) 755-8480 toll-free Monday through Friday, 9 a.m.-7 p.m. EST. When calling, please use this reference number: 7131082715. Frequently Asked Questions (FAQs) regarding the breach are also available on Oakland Family Services’ website – www.oaklandfamilyservices.org.
Oakland Family Services is a private, nonprofit 501 (c ) (3) serving the community since 1921 and dedicated to providing individuals and families the opportunity to build brighter futures. The agency’s prevention, education and treatment services touch the lives of more than 30,000 individuals throughout southeastern Michigan. The agency has offices in Pontiac, Berkley, Rochester Hills and Walled Lake. For more information go to www.oaklandfamilyservices.org.