In February 2020, Overlake Medical Center and Clinics in Washington State reported a phishing incident in December 2019. More than 109,200 patients were reportedly affected. HHS investigated the incident and wrote a closing note in the file:
Overlake Medical Center and Clinics, the covered entity (CE), reported that multiple employees were the victims of an email phishing scheme that affected the electronic protected health information of 109,234 individuals. The ePHI involved included names, health insurance information, clinical information, and diagnoses. The CE notified HHS, affected individuals, the media, and provided substitute notice. After the breach, the CE implemented additional administrative and technical safeguards and retrained its staff on the proper methods of identifying and responding to fraudulent email communications.
Fast forward to June 2021, when Pysa threat actors add Overlake Obstetricians & Gynecologists, P.C. to their dark web leak site with a date of November 29, 2020. That date did not match the December 2019 breach or February 2020 disclosure, and the data Pysa leaked consisted of more than 8,900 files and more than 3.8 GB of data. DataBreaches sent Overlake email inquiries on July 27 and 29 but received no replies.
DataBreaches never found any report on HHS’s breach tool from Overlake that corresponded to the claimed attack by Pysa or the data Pysa leaked. Was a business associate involved that might have reported that incident on Overlake’s behalf? DataBreaches does not know. But something concerning happened months later.
On November 10, 2021, DataBreaches.net received four emails from four different forged addresses that had nothing to do with Overlake OB/GYN. The emails all had the same subject line that had been the subject line of my email to Overlake in July 2021. And the bodies of all four emails included the full text and signature block of the July 27, 2021 email to the clinic.
And all four emails also contained an attached trojan downloader: Win32/Powdow!ml.
How did an email sent to Overlake on July 27, 2021 wind up in the hands of criminals? Had Overlake had yet another incident, or had they failed to remediate an earlier breach fully? And if email from this site wound up being exfiltrated, how many patients or employees might also have had their information exfiltrated?
On November 10, 2021, DataBreaches sent one more email to Overlake, informing them that this site’s email to them of July 27 had wound up in criminals’ hands and asking them, once again, about the claimed ransomware attack and any response they may have made.
There was no reply. Uncertain whether Overlake had an unidentified breach or an identified but inadequately remediated breach, DataBreaches filed a watchdog complaint with HHS. As far as this site can determine, that complaint is still open.
Now Overlake has reported another breach this month. On August 12, Overlake Medical Center reported that 557 patients had been impacted by a hacking/IT incident. They also issued a substitute notice:
Notice of Email Cybersecurity Incident
Notice to Our Patients of Email Security Incident
At Overlake Medical Center & Clinics (“Overlake”), we are committed to protecting the confidentiality and security of our patients’ information. Regrettably, this notice concerns an incident involving unauthorized access to an Overlake email account, which may have involved some patient information. While Overlake has no indication that any patient information has been misused, this notice explains the incident, outlines the measures we have taken in response, and offers steps patients can take as a precaution.
What Happened? On June 14, 2022, we learned that an unidentified third party obtained the login credentials for one Overlake staff member’s email account. Because Overlake has a comprehensive information security (IS) program, we were able to identify and quickly respond to the issue and within hours secured the account and immediately began an investigation. The investigation determined that the third party had access to the staff member’s email between June 13 and June 14, 2022. Our investigation cannot rule out the possibility that the third party accessed some information stored in the email account.
What Information Was Involved? The emails may have contained patients’ names and one or more of the following: date of birth, medical record number, patient account number, health insurance information, date(s) of service, treatment cost information, and limited health information related to billing (such as diagnosis codes and treatment information). Social Security numbers and financial account information were not included. No other Overlake information systems or applications were affected by this incident, and Overlake’s security protocols prevented the third party from gaining additional access. This incident affected only a small percentage of Overlake patients.
What We Are Doing & What You Can Do. We have no reason to believe, at this time, that any patient information stored in the affected email account has been misused as a result of this incident. However, in an abundance of caution, beginning August 12, 2022, we are mailing notification letters to affected patients. We also have established a dedicated call center regarding this specific matter that affected individuals can contact for more information, available at 1-855-544-2842, from 6 a.m. to 3:30 p.m. Pacific time, Monday through Friday. Overlake also recommends patients review statements they receive from their healthcare providers and health insurer, and report any inaccuracies to the provider or insurer immediately.
We sincerely regret any concern this incident may cause. Overlake has a robust information security program that strives to always protect the privacy and security of our patients’ and employees’ information. Overlake has and will continue to take steps to mitigate this incident and help prevent something like this from happening again, including continuing comprehensive training for staff members.
So how many incidents has Overlake had in the past few years? There was the December 2019 incident, and there was another incident disclosed in 2020 by Greenway on their behalf that DataBreaches discovered in going through the files that Pysa had leaked. Was there also a November 2020 incident like Pysa claimed there was? And did Overlake fail to remediate that alleged breach or another breach? How was an email sent to them in July 2021 later obtained by criminals, and how many others may have had their data at risk or compromised after July 27, 2021?
It is a shame that Overlake never responded to inquiries from this site that might have clarified those issues, but perhaps HHS will obtain answers from them if they ask the same questions.