Phishing Attack on Washington Therapist Exposes Patients’ PHI

By | January 19, 2023

A Washington therapist, Robert S. Miller LICSW, ACSW (RSM), has recently notified 640 current and former clients about a phishing incident that resulted in the exposure of some of their protected health information.

State laws require notifications to be sent to state attorneys general when there has been a breach of the private information of state residents. The notifications typically provide the minimum information about privacy breaches, but in this case, the therapist explained exactly how the phishing attack played out.

RSM had purchased an antivirus solution from the Iolo Software Company, and subsequently purchased an additional encryption program, which had disappeared from his computer. RSM was contacted by a person who claimed to be an Iolo employee who said he was aware that RSM’s computer had been hacked and requested access to clean the computer of viruses and malware. Access to the device was granted. RSM said he discovered this was a scam when the employee requested eBay cards worth $300.

As a result of this incident, that individual had access to the computer from December 2 to December 4, 2022, and potentially obtained files containing names, dates of birth, mailing addresses, email addresses, phone numbers, medical insurance ID numbers, Social Security numbers, and clinical information, which included evaluations, progress notes, mental health rating scales, and letters.

In response to this incident, RSM has taken several steps to prevent similar incidents in the future, including adopting encryption technologies, strengthening passwords, and engaging a third-party software company to review computers and remove any malware that may have been installed. Affected clients have been offered complimentary identity theft protection services.

Email Account Breach Reported by MJ Care

MJ Care, a New Berlin, WI-based provider of rehabilitation and health services, has recently notified 1,832 patients that some of their protected health information has potentially been accessed or obtained by an unauthorized individual. MJ Care did not state when the breach was detected; however, the investigation revealed the email account was accessed between May 31, 2022, and June 24, 2022.

The review of the affected email account concluded on November 2, 2022, and confirmed it contained patient names along with one or more of the following types of information: Social Security numbers, dates of birth, financial account information, credit/debit card information, biometric information, dates of service, treatment/diagnosis information, provider name, medical record numbers, patient numbers, medications, general medical information, and/or health insurance policy information. Notifications were sent to affected individuals on December 29, 2022. Complimentary credit monitoring services have been offered to patients whose Social Security numbers were exposed.

The post Phishing Attack on Washington Therapist Exposes Patients’ PHI appeared first on HIPAA Journal.