Phishing Attacks on Fraser and East Central Indiana School Trust Impacted Almost 6,000 Individuals’ PHI

A phishing attack on East Central Indiana School Trust (ECIST) resulted in the exposure of some protected health information (PHI) of over 3,200 people.

On May 19, 2019, an ECIST employee was misled into sharing his/her email account credentials which an attacker used to gain access to that individual’s email account. ECIST detected the breach on May 22, 2019 and secured the account.

A third-party computer forensics firm investigated the breach and determined whether there was a compromise or theft of patient information during the attack. The forensics firm did not find any proof that the attacker viewed or downloaded emails in the account, however, the likelihood that the data was accessed or stolen couldn’t be certain.

The information in the email account that was compromised included the names of employees and dependents, Social Security numbers, dates of birth, driver’s license numbers, prescription information, health insurance details, and some medical information.

ECIST already reported the HHS’ Office for Civil Rights about the breach, which potentially impacted around 3,259 trust members’ employees as well as their dependents.

Phishing Attack on Fraser

A phishing attack happened on Fraser, an autism and early childhood mental health service provider in Minnesota, affected just one employee’s email account on August 6, 2019.

Fraser identified the phishing attack quickly and secured the compromised email account in just a few hours. Fraser initiated a breach investigation with the help of its IT vendors and determined that the attacker accessed client data.

A Fraser waitlist spreadsheet was found in the compromised email account. It contained the names of clients, internal ID numbers, home cities, ZIP codes, information concerning scheduling options, and particular services for which clients got referrals.

Fraser is checking and updating its procedures for the internal exchange of customer data. Also, the recording of information is closely observed to ensure that its security systems are operating properly.

About Christine Garcia 1297 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at