Patients’ PHI Exposed Due to MJ Care Email Account Breach and Washington Therapist Phishing Attack

Robert S. Miller LICSW, ACSW (RSM), a Washington therapist, has just informed 640 present and past clients of a phishing attack that exposed some of their protected health information (PHI).

In case of a breach of the private data of state residents, state laws require the breached entity to send notifications to the state attorneys general. The notifications usually include the minimum details of privacy breaches, however, in this instance, the therapist mentioned precisely how the phishing attack happened.

RSM had bought antivirus software from the Iolo Software Firm, and eventually bought also encryption software, which had vanished from his PC. RSM was called by an individual who said he is an Iolo worker who said he knew that RSM’s PC was hacked and asked for access to clean the PC of malware and viruses. RSM gave access to the device and later found out it was a scam because the worker asked for eBay cards valued at $300.

As a result of this incident, that person got access to the PC between December 2 and December 4, 2022, and possibly acquired files that contain names, birth dates, mailing and email addresses, telephone numbers, Social Security numbers, health insurance ID numbers, and clinical data, which contained assessments, development notes, letters and mental health rating scales.

Because of this incident, RSM implemented a few steps to stop the same incidents later on, including getting encryption systems, fortifying passwords, and having a third-party software firm examine computers and get rid of any malware that was installed. Impacted clients were provided free identity theft protection services.

MJ Care Reports Email Account Breach

MJ Care based in New Berlin, WI provides rehabilitation and health services. It recently informed 1,832 individuals about the potential access or acquisition of some of their PHI by an unauthorized person. MJ Care didn’t say when it detected the breach; nevertheless, the investigation showed the hacker accessed the email account from May 31, 2022 to June 24, 2022.

The analysis of the impacted email account was concluded on November 2, 2022, and affirmed it included patient names together with at least one of these types of data: Social Security numbers, birth dates, financial account data, credit/debit card details, biometric data, dates of service, treatment/diagnosis data, provider name, patient numbers, medical record numbers, medicines, general medical data, and/or medical insurance policy data. MJ Care sent notifications to impacted persons on December 29, 2022. Free credit monitoring services were provided to individuals who had their Social Security numbers compromised.