Metrocare Services, a mental health service provider in North Texas, has notified the Department of Health & Human Services (HHS) of a data breach affecting 5,290 patients.
The Breach Discovery
The breach was the result of a phishing attack and was discovered on February 6, 2019, when Metrocare found that an unauthorized third-party accessed some of their employees’ email accounts. According to Metrocare, immediately after learning of the breach, the affected email accounts were secured, and an investigation was launched. The investigation found that the compromised email addresses were first accessed in January 2019.
Potentially Accessed Information
The investigation revealed that some patient data was in the affected email accounts, including individuals’ names, dates of birth, driver’s license information, health insurance information, health information related to services received at Metrocare, as well as some Social Security numbers.
Patient notification began on April 5, 2019. At this time, Metrocare does not have reason to believe that any of the affected patient information has been misused as a result of the incident. Those individuals who may have had their Social Security numbers exposed are eligible for one year of complimentary identify protection and credit monitoring.
In their notice, Metrocare writes:
We regret any inconvenience or concern this incident may cause our community. To help prevent something like this from happening in the future, we are taking steps to add additional security measures to our current information technology infrastructure, including strengthening the security of our e-mail system and have implemented multi-factor authentication on its system systems.
Not Their First Offense
What sounds like a sincere apology to the community regarding the incident may not be taken as such. This data breach was reported just 5 months after Metrocare reported a previous breach in November 2018. Even worse, this breach was almost identical to the previous, a phishing attack that compromised the PHI of 1,800 patients.
Following the November phishing attack, Metrocare stated they would be strengthening their security measures, including their email system and providing additional training to their employees.
Considering they encountered a very similar breach just months after their first one, it is clear that whatever security/training may have been implemented was not enough. Multi-factor authentication had not been enabled following the first attack, which could have very likely prevented the second from occurring.
The November phishing attack on Metrocare does not have a closing listed on HHS’ public breach website, meaning that first attack may still be under investigation.