Northwood Inc. is notifying individuals that their private information may have been comprised in a data breach following a phishing attack.
Northwood Inc., based in Madison Heights, MI, acts as a HIPAA business associate to several covered entities. Northwood discovered the breach on May 6, 2019, after noticing some suspicious activity on an employee email account. An investigation was immediately launched into the incident.
After it was confirmed that an unauthorised individual had compromised the email account following a successful phishing campaign, a leading computer forensics expert was hired to assist with the investigation and determine the nature and full extent of the attack.
Investigators determined that the hacker first gained access to the employee’s email account on May 3. Once the activity was discovered, the unauthorised access was immediately revoked. Investigators did not find any evidence to suggest any emails had been viewed or copied, but data access and data theft could not be ruled out.
On June 19, Northwood determined that patients’ protected health information had been exposed and declared a data breach. The information potentially accessed by the hacker included names, addresses, dates of birth, provider name, dates of service, medical record number, patient ID number, diagnosis and diagnosis codes, medical device description, treatment information, and health plan membership number. A small subset of patients also had their Social Security number, driver’s license number, and health insurance provider name exposed.
Affected patients had received durable medical devices from Northwood or had their devices managed by the company. The compromised email account also contained information relating to healthcare providers and their exclusion status with the CMS.
When the breach was discovered, Northwood disabled the compromised account and performed a password reset on all employee email accounts. Northwood has provided additional training cybersecurity training to employees to help them identify email threats. Northwood has also taken steps to improve email security has been strengthened.
Following HIPAA’s breach notification rule, Northwood has sent breach notification letters to all patients affected by the breach. As a gesture of good faith, individuals have been offered complimentary credit monitoring services to protect them from being defrauded by the hackers.
Northwood has reported the breach to the Department of Health and Human Services’ Office for Civil Rights. The breach has been reported as four separate incidents, affecting 583, 3881, 5563, and 5000 patients – 15,027 patients in total.