A malware attack on the Native American Rehabilitation Association of the Northwest, Inc. (NARA) in Portland, OR resulted in the potential unauthorized access of the protected health information (PHI) of native American patients who are receiving mental and physical health services, education and substance abuse treatment.
NARA mentioned that the malware attack came about on November 4, 2019. Security controls failed to identify the malware at the beginning but eventually identified it in the afternoon. By November 5, the security team already had the threat under control and by November 6, it had changed all email account passwords.
The attackers used the Emotet Trojan malware variant, which is often employed for credentials theft and exfiltration of email messages and included attachments. Hence, it is very likely that attackers had accessed the compromised accounts’ emails and attachments, including PHI if any.
NARA’s press release on January 3, 2020 mentioned the confirmation by the forensic investigators that the attackers potentially accessed 344 people’s PHI. If not accessed yet, the risk is very high. The attack likewise potentially impacted another group of patients, though the investigators have yet to find any proof of unauthorized access.
The email accounts included varied types of data, which possibly included names, home addresses, birth dates, healthcare records or patient ID numbers and Social Security numbers. The clinical data, such as diagnoses, medical services received, treatment details, and treatment dates, of some people, were likely exposed as well.
The HHS’ Office for Civil Rights’ Breach portal already published the breach, which indicated 25,187 people were affected. CEO of NARA NW, Jacqueline Mercer, Jacqueline Mercer, apologized to their clients on account of the malware attack.
NARA NW already updated their computer with a new endpoint security solution to keep track of suspicious transactions. The healthcare firm is likewise reviewing and updating its policies and procedures.