Second Phishing Attack on Metrocare Services Happened After Two Months

A phishing attack on Metrocare Services in North Texas, a mental health service provider, resulted to the access of several employees’ email accounts by an unauthorized person.

Metrocare Services detected the breach on February 6, 2019 and immediately blocked access to the affected email accounts. But the investigators stated that the hackers first accessed the accounts in January 2019.

A review of the affected email accounts confirmed that the protected health information (PHI) of 5,290 patients were potentially compromised. The affected patients were informed about the potential access of their PHI because of the phishing attack on April 5, 2019. The following patients’ PHI were included: names, birth dates, driver’s license data, health insurance details, health information associated to the services given by Metrocare, and the Social Security numbers for some patients.

The breach investigators did not find any evidence that indicate the access or copying of emails containing ePHI. However, it is not possible to completely rule out ePHI access and theft. Metrocare Services offered the persons whose Social Security number were exposed free identity theft protection and credit monitoring services for one year.

As a response to the breach, Metrocare Services is going to employ extra security measures, such as multifactor authentication, to strengthen its email system security and to stop access to the accounts when credentials are compromised in cyberattacks.

This is the second phishing attack on Metrocare Services. In November 2018, a similar phishing attack on the entity caused the compromise of 1,800 patients’s PHI. After that phishing attack, Metrocare Services talked about strengthening its email system security and providing its employees additional training on identifying potential phishing attacks.

Clearly, the security measures were not enough to stop other attacks. If multifactor authentication was implemented after the first phishing attack, the second attack could have been stopped.