Native American Rehabilitation Association of the Northwest, Inc.(NARA) in Portland, OR, which provides education, mental and physical health services and substance abuse treatment to native Americans, encountered a malware attack which resulted in the potential access of protected health information (PHI) by unauthorized persons.
NARA stated that the malware attack happened on November 4, 2019. At the beginning, the malware bypassed security controls but was identified later on that afternoon. The security team had control of the threat by November 5, 2019 and had reset all passwords on email accounts by November 6.
The malware variant used was the Emotet Trojan, which steals credentials and exfiltrate email messages and file attachments. It is consequently likely that the threat actors accessed emails and file attachments in the breached accounts, which may contain PHI.
According to the press release of NARA on January 3, 2020, the forensic investigators affirmed that the attackers possibly accessed the PHI of 344 persons or there’s a high probability of them being accessed. The attck also potentially affected another group of patients, but there is no proof of unauthorized access found.
The email accounts contained different types of information but may have comprised of names, birth dates, home addresses, Social Security numbers, and healthcare record or patient ID numbers. The clinical information of some individuals may have also been exposed. The information may have, included diagnoses, services obtained, treatment data, and treatment dates.
The HHS’ Office for Civil Rights’ Breach portal indicated that breach may have affected about 25,187 people. Jacqueline Mercer, CEO of NARA NW, expressed apologies to their clients because of the malware attack.
NARA NW already implemented a new endpoint security solution on all computers to keep track of suspicious activity. The healthcare provider is also reviewing policies and procedures for necessary updates to be implemented. Employees also received additional training on security awareness.