Kansas-based Valley Hope Association addiction treatment centers are notifying patients their personal information may have been compromised in a phishing attack which granted unauthorized access to an employee’s email account.
An investigation revealed on Nov. 23, 2018, that the threat actors logged into the account between Oct. 9-10, 2018, resulting in a risk of unauthorized access to the email messages and file attachments stored in that email account which contained personal information, according to a Jan. 18 security notice.
The data of 70,000 patients was compromised including patient names, addresses, medication/prescription information, Social Security numbers, financial account information, driver’s license or state identification card numbers, patient claim/billing information, dates of birth, health insurance information and medical record numbers, and doctor’s names.
The breach affected 16 facilities across Kansas, Missouri, Nebraska, Arizona, Oklahoma, Texas and Colorado.
Those who were affected have been sent notification and the facilities have also notified the Department of Health and Human Services’ Office for Civil Rights, state regulators and the three major credit reporting agencies.
“Valley Hope has created this resource page to help answer further questions and provide guidelines for individuals to help protect themselves from identity theft and what they can do if they believe their personal information has been compromised,” the security notice said. “While we have security measures in place to protect information in our care, we are also taking steps to implement additional safeguards and review policies and procedures to further protect the security of information on our systems. ”
Valley Hope is also offering 12 months of free identity monitoring services from Kroll.