Phishing attack leads to data breach at mental health organization
A phishing attack against Network180, a mental health organization in Grand Rapids, Michigan, led to a data breach affecting approximately 2,200 patients, according to a notice posted on the facility website.
In the announcement, Network180 stated that on October 28, 2018, it received a series of emails that appeared to come from a trusted source, and between November 3 and November 13 it determined that three staff members had their email accounts compromised after receiving the phishing emails.
At least one of the compromised email accounts contained protected health information and personal data, including:
- Addresses
- Dates of birth
- Information on ethnicity/race
- Medicaid and Medicare ID numbers
- Names
- Names of healthcare providers
- Names of relatives
- Network180 ID numbers
- Schools attending or attended
- Social Security numbers
- Waiver Support Application ID numbers
Network180 launched an internal investigation following the breach and determined that the disclosure was not preventable, but it did take remedial steps, including a mass password reset and putting more safeguards in place to protect against phishing attacks. Network180 could not confirm if the information was actually accessed, but it stated it had no indication that any financial information was exposed or accessed.