Ramsey County has found out that the August 2018 phishing attack has affected way more people than first believed. The number of victims increased from 599 to 117,905.
The preliminary breach report explained about the compromise of 26 personnel’s email accounts during a phishing attack on or around August 9. Ramsey County discovered the phishing attack immediately and secured the affected accounts. The intention of the individuals behind the attack was to re-route the paychecks of employees.
The initial investigation carried out on October 12, 2018 with a data security firm’s assistance, came to the conclusion that the attackers could have accessed sensitive information found in the compromised email accounts. The accounts were found to have clients’ names, dates of birth, addresses, Social Security numbers, and limited health information.
On December 11, 2018, Ramsey County sent a breach report to the HHS’ Office for Civil Rights and informed affected clients. The first breach report mentioned 599 clients were affected. After 9 months, Ramsey County has reported that the personal and health data of 117,905 people were exposed.
Some time on May 21, 2019, County officials discovered that two of the 26 employees’ email accounts hold ‘limited amounts’ of health information linked to services made available to the Minnesota Department of Human Services concerning the Child & Teen Checkups program as well as the assistance given to St. Paul-Ramsey County Public Health Department.
The accounts contained information such as names, dates of birth, addresses, patient master index numbers, patient identifiers, appointment types, appointment dates, household identification numbers, and the names of patients’ representatives. There was no Social Security number, diagnosis, treatment and prescription information exposed. There was no report of data theft or wrong use of patient data.
Ramsey County had released an update regarding the breach on July 1, 2019 saying 4,638 people more were affected and issued 3,272 more notifications. Ramsey County has stated that a total of 116,255 breach notification letters were already sent.
The HIPAA requires covered entities to notify OCR about a breach within 60 days from the date of discovery. When the number of affected people is unknown during that time, a provisional total may be given. The breach report could be modified when more information becomes available.
It can take some months to complete breach investigations and so the extent of a cyberattack may not be apparent initially. In this case, the investigation was complicated because many employees whose email accounts were impacted provided services to several departments in the County. It was difficult to absolutely evaluate all the information in the impacted accounts.