Data Breaches at Mille Lacs Health System, North Shore Pain Management and PsyGenics, Inc.

Mille Lacs Health System located in Onamia, Mn has encountered a phishing attack that likely caused the exposure of over the protected health information (PHI) of 10,000 patients.

Some employees of Mille Lacs Health System received phishing emails containing url links that directed them to a web page that requested their email information. Some employees were fooled by the scam.

Mille Lacs Health System discovered about the phishing attack on November 14, 2020 and started an investigation to determine the scope of the breach. The investigators confirmed on February 24, 2020 that the attacker used the stolen email information to access email accounts from August 26, 2019 to January 7, 2020. A assessment of the compromised email accounts was finished on April 22, 2020 and affirmed that the attacker could have accessed the patient information.

The compromised information likely included first and last names, dates of birth, addresses, provider names, clinical details, dates of service, treatment data, procedure types, and for some persons, Social Security numbers. There is no evidence found that suggest the attackers obtained or misused patient information.

Mille Lacs Health System secured all accounts by performing a full password reset for all email accounts, and implementing additional measures to strengthen email security. Affected people received notification about the breach through mail on May 11, 2020 and received offers of complimentary credit monitoring services.

The breach report submitted by Mille Lacs Health System to the Department of Health and Human Services’ Office for Civil Rights reveals that the breach affected 10,630 patients.

Ransomware Attack on North Shore Pain Management

North Shore Pain Management based in Massachusetts has encountered a manual AKO ransomware attack and theft of some patient data.

The HHS’ Office for Civil Rights has not reported the incident yet on its breach portal, at the time of writing. There is likewise no substitute breach notice posted on the company’s site. reported the breach mentioning that around 4GB of data relating to the company were posted on the Tor site utilized by the attackers. The exposed data online contained more than 4,000 files of patient and employee data.

The files included a variety of sensitive protected health information which includes Social Security numbers, health data, and insurance information.

PsyGenics Employee Emailed Client Information to Personal Email Account

PsyGenics, Inc. based in Detroit, an occupational therapy, family therapy and speech therapy provider, found out that one of its employees emailed a spreadsheet made up of customer information to a personal email account. The breach was noticed on March 25, 2020 while doing a standard security review. The employee sent the email on March 24, 2020.

The spreadsheet included the following data: customers’ names, diagnosis codes, provider names, and appointment times. No other data like treatment notes were specified in the spreadsheet. No reason was provided regarding why the employee sent the spreadsheet to their personal email account. PsyGenics states it found no proof of attempted or actual misuse of client data.