Email Security Breaches at The Otis R. Bowen Center for Human Services and University of Minnesota Physicians Impacts Almost 36,500 Patients

The Otis R. Bowen Center for Human Services based in Indiana provides mental health and addiction recovery healthcare services. It reported an incident that unauthorized persons got access to two employees’ email accounts.

The date when the email account breaches took place is uncertain. There’s also no information regarding how long the unauthorized persons accessed the email accounts. According to the substitute breach notification posted on its website, an independent digital forensic investigation team informed The Otis R. Bowen Center on January 28, 2020 that PHI was potentially accessed because of the attack. The service provider just completed the accounts review to identify the patients affected and has sent the notifications by mail. The types of data potentially compromised was not mentioned.

The Otis R. Bowen Center stated that the investigation did not find any proof that indicates the misuse of PHI resulting from the breach. Nevertheless, as a safety precaution, affected people were offered free membership to credit monitoring and identity theft protection services via Kroll.

Because of the breach, The Otis R. Bowen Center took steps to enhance its email and network security. The provider is also working directly with prominent cybersecurity professionals to enhance its digital environment’s security.

Based on the Department of Health and Human Services’ breach portal, there were 35,804 patients whose protected health information was compromised in the email accounts.

University of Minnesota Physicians Phishing Attack

University of Minnesota Physicians discovered the compromise of two employee email accounts after employees responded to phishing emails. In the two cases, the phishing attacks were noticed soon after the compromise of the email accounts. Action to secure the accounts was undertaken on January 31, 2020 and February 4, 2020. The unauthorized person was able to access the first account in under two days and the second account in just a couple of hours.

Third-party computer forensics experts conducted a thorough investigation, however they could not determine whether the attackers viewed or copied any email in the accounts. A review of the email accounts showed that they contained patient names, phone numbers, addresses, birth dates, demographic data (gender, race, ethnicity), Social Security numbers, place of treatment, names of providers, insurance ID numbers, partial medical history details, and case numbers.

UMPhysicians began mailing notification letters to impacted persons on March 30, 2020 and offered free one-year membership to credit monitoring and identity theft protection services via Kroll.

UMPhysicians stated that there were several email security controls, such as multi-factor authentication, in place prior to the attack. Employees were also required to undergo regular security awareness training and phishing simulation exercises.

UMPhysicians gave the employees refresher training and is planning to implement further measures to enhance email security.

The OCR breach portal stated that the breach affected 683 patients.