27,500 affected after cybercriminals accessed employee email accounts

US mental health provider admits email breach exposed patient data

People Incorporated Mental Health Services, a Minnesota-based US healthcare provider, has admitted that an email security data breach has exposed sensitive patient records, along with an unspecified volume of financial data.

One or more of the email accounts accessed by an unauthorized third-party between April 28 and May 4 contained personal and/or protected health information.

People Incorporated has been notifying potentially affected individuals since the breach was discovered in September, the non-profit said.

A notice on the US government Health and Human Services website states that 27,500 people were affected by the breach.

In a public statement (PDF), People Incorporated detailed the scope of the incident and its response:

The accessed email accounts contained the personal and protected health information of certain patients, including their names, dates of birth, addresses, treatment information, insurance information, and medical record number.

A limited number of individuals’ Social Security numbers, financial account information, health insurance information, and driver's license or state identification numbers were also contained in the impacted email accounts.

The statement goes on to say that, after discovering the problem, People Incorporated shut off access to the compromised email accounts before applying a mandatory, company-wide password reset.

It subsequently hired an unnamed external cybersecurity firm to help it run an investigation into the breach.

Sensitive data

In a bid to reassure its customers, People Incorporated said it has seen “no evidence to suggest that any data [has been] misused or otherwise in the possession of someone it should not be”.

The healthcare provider is offering complimentary credit monitoring to the unspecified number of people whose Social Security numbers were potentially exposed as a result of the incident.

RELATED Finnish mental health patients blackmailed after suspected data breach

People Incorporated added that it had taken steps to “minimize the risk of a similar incident in the future, including implementing additional technical safeguards and providing additional training and education to People Incorporated employees on identification and handling of malicious emails”.

This points to a phishing attack as the most likely reason for the breach, but this remains unconfirmed.

The US healthcare provider is yet to respond to requests for comment from The Daily Swig but we’ll update this story as and when we here more.

READ MORE Magecart group 12 decloaked thanks to unique ‘Ant and Cockroach’ skimmer