Two security breaches at Community Psychiatric Clinic in Seattle, WA, an accredited outpatient, mental health treatment and counseling services provider, brought about the exposure of patient data. In the two cases, an unauthorized individual accessed an employee’s Microsoft Office 365 account.
The first security breach at Community Psychiatric Clinic was discovered on March 12, 2019 when an unauthorized person accessed an employee’s account. The IT team promptly secured the account by changing the passwords and restoring the employee’s hard drive. The clinic also improved email account security to avoid the same breaches from taking place again. The investigators found no evidence of patient data theft.
On May 8, 2019, after two months another attack on another email account was discovered. The attacker used the compromised account to send a request for a fraudulent wire transfer to another employee. Though the fraudulent transfer pushed through, the clinic was able to recover the funds because of their quick response. The clinic reset the account password to restrict further access by the attackers and added more protections to prevent further attacks. Again, no evidence suggests that patient data was stolen.
Based on the forensic investigation, apart from these two accounts, Community Psychiatric Clinic had two other accounts compromised. The investigators observed that the hackers accessed the email accounts via Outlook Web Access, hence there’s less probability of mass data exfiltration. There is no proven data exfiltration found, which suggests that the attackers got no access to patient data. Nonetheless, breach notifications were still mailed to patients as a safety precaution.
The Department of Health and Human Services’ Office for Civil Rights has not posted the breach summary on its porta yet so the number of impacted patients is still unknown.