On January 3, the Native American Rehabilitation Association of the Northwest, Inc. (NARA NW) in Portland, Oregon announced that it experienced a cybersecurity incident November 4-5, 2019.
The attack was described as a malware incident with Emotet malware injected when some employees fell for a phishing attack on November 4. The incident was recognized quickly and contained by November 5, but according to NARA NW’s notice, some of their email accounts affected by the malware contained records with patient information.
Based on its investigation to date, with support from a digital forensics and cybersecurity firm, NARA NW has identified 344 or approximately 1.3 percent of current or former patients in NARA NW’s electronic records whose information appears to have been accessed without authorization or were at an increased risk of unauthorized access. Some of these patients’ information was contained in the text of email messages, while other patients’ information was contained only in attachments to emails. Although there is not a clear indication that these email attachments were accessed, NARA NW, out of an abundance of caution, is treating the information in these attachments as though it were accessed and notifying the patients.
The types of information that were contained in these records include names,home addresses, birth dates, Social Security numbers, and medical record or patient ID numbers. Additionally, some records reportedly included patient clinical information, such as diagnoses, services or treatment, and treatment dates.
In addition, there is a second group of clients and patients to whom NARA NW is providing notice: patients whose types of information as described above was potentially affected, but there is no indication this information was actually accessed.
HHS’s public breach tool indicates that a total of 25,187 patients were affected.
You can read NARA NW’s full notification on their site.