Data Breaches at Mille Lacs Health System, PsyGenics, Inc. and North Shore Pain Management

Mille Lacs Health System based in Onamia, Mn has suffered a phishing attack that possibly exposed more than 10,000 patients’ protected health information (PHI).

A number of employees of Mille Lacs Health System got phishing emails that contain hyperlinks that routed them to a site that asked for their email details. A few of the employees were tricked by the fraudulent email.

Mille Lacs Health System found out about the attack on November 14, 2020 and began an inquiry to know the magnitude of the breach. The investigators affirmed on February 24, 2020 that the attacker used the compromised email credentials to gain access to email accounts starting August 26, 2019 up to January 7, 2020. An analysis of the breached email accounts was concluded on April 22, 2020 and showed that the attacker may have viewed the patient data.

The compromised data possibly comprised first and last names, birth dates, addresses, provider names, clinical data, dates of service, treatment details, types of procedure, and for selected patients, Social Security numbers. There is no proof found that indicate the attackers acquired or misused patient data.

Mille Lacs Health System protected all accounts by carrying out a total password reset for all email accounts and employing extra steps to reinforce email security. Impacted persons got a notification regarding the breach via mail on May 11, 2020 and got offers of free credit monitoring services.

The breach report sent by Mille Lacs Health System to the Department of Health and Human Services’ Office for Civil Rights shows that the breach impacted 10,630 patients.

PsyGenics Employee Sent Client Data to Own Email Account

PsyGenics, Inc. in Detroit, a family therapy, occupational therapy and speech therapy provider, learned that one of its workers sent a spreadsheet that contains client data to a private email account. The breach was discovered on March 25, 2020 while performing a routine security check. The employee routed the email on March 24, 2020.

The spreadsheet comprised the following details: clients’ names, provider names, diagnosis codes and consultation times. No other details including treatment notes were included in the spreadsheet. No reason was offered concerning why the worker emailed the spreadsheet to their private email account. PsyGenics claims it did not find any information on attempted or real misuse of customer details.

Ransomware Attack on North Shore Pain Management

North Shore Pain Management located in Massachusetts has suffered a manual AKO ransomware attack and stealing of a number of patient information.

The HHS’ Office for Civil Rights hasn’t published the breach yet on its breach website, at this time. There is also no substitute breach notice published on the company’s web page. Databreaches.net noted the breach saying that about 4GB of information pertaining to the company was shared on the Tor site employed by the attackers. The compromised information on the web contained over 4,000 files of patient and employee details.

The files covered an array of sensitive PHI such as Social Security numbers, health details, and insurance information.