Michigan-based non-profit organization Oakland Family Services is notifying approximately 16,000 clients that an unauthorized individual remotely gained access to the email account of an employee via a phishing scam, and potentially viewed personal information.
How many victims? Approximately 16,000.
What type of personal information? Names, addresses, telephone numbers, dates of birth, internal client ID numbers, health plan ID numbers, insurance numbers, dates of services, programs and types of services, and diagnoses. Social Security numbers were affected for 173 clients.
What happened? An unauthorized individual remotely gained access to the email account of an Oakland Family Services employee via a phishing scam, and potentially viewed the personal information.
What was the response? Emails older than six months in the compromised email account are archived, meaning they are no longer accessible in the email account and are on a secure server. All employees have been trained on how to avoid phishing scams. All potentially impacted clients are being notified, and those whose Social Security numbers were included are being offered a free year of identity theft protection and credit monitoring services.
Details: Oakland Family Services was able to determine that unauthorized access was gained to the email account for 23 minutes on July 14. The unauthorized individual created and sent a phishing email to all of the host's email contacts while they were in the employee's email account, none of whom were clients. No other Oakland Family Services employee responded to the phishing email. Oakland Family Services does not believe that any personal information was looked at or downloaded, and there have been no reports of misuse of the information. The personal information related to those who received mental health or substance abuse treatment at Oakland Family Services between 2007 and 2015.
Quote: “The staff whose email was hacked holds a position that involves having an unusual amount of PHI in their email,” a FAQ said. “This staff is now using Multi-factor Authentication, which means that the email could not be accessed with only the password.”
Source: oaklandfamilyservices.org, “Oakland Family Services announces information breach,” Sept. 10, 2015; oaklandfamilyservices.org, “Oakland Family Service Information Breach FAQs.”