Sweetser hack releases IDs, medical info on 22,000 clients

By Kendra Caruso | Nov 06, 2019
Photo by: Kendra Caruso Local mental health services provider Sweetser suffered an email hack in June that released sensitive information on thousands of clients.

Belfast — Sensitive client information was hacked through two Sweetser employee email accounts last June. Details about 22,000 people’s identification information and medical conditions may have been released to the hackers, according to Sweetser spokesperson Susan Pierter.

On Oct. 28, Sweeter clients received letters about the email breach that occurred from June 18 to June 27. Currently, there is no evidence that the information leaked has been misused, Pierter said.

But that did not prevent one client, who asked The Republican Journal not to disclose her name, from feeling anxious about how the hackers might use her information. When the client received a letter Oct. 28 about the incident, she immediately filed for a credit check. She said learning about the hack felt like "a violation."

The letter did not say what information might have been leaked, but provided the phone number for a call center that would answer patient questions on the matter.

Upon discovering the hack June 27, Sweetser hired a company to investigate the scope of the incident. Sweetser obtained investigation results Sept. 10 and immediately started verifying client addresses to get notification letters sent, according to Pierter.

It hired Dasher Inc., based in Harrisburg, Pennsylvania, to field calls and notify those affected about information that might have been released.

Once the investigation was completed, Sweetser reported the breach to the Department of Health and Human Services’ Office for Civil Rights, which investigates HIPAA violations, Pierter said.

She would not confirm whether the employees hacked were managers. Through email, she said Sweetser has no reason to believe that medical information was accessed or viewed and described the 10-day unauthorized access as a “limited window.”

Hackers managed to get through firewalls already in place at Sweetser. Since the attack, the company said it has increased its security measures on all employee email accounts.

The company said it does not usually send sensitive medical information via email, but will occasionally do so for billing purposes. Pierter said Sweetser complies with all federal and state regulations to protect patient information.

According to HIPAA rules, the company is not permitted to publicly release information about a patient's medical diagnosis. There is no specific rule listed on the Office for Civil Rights' webpage regarding HIPAA medical information sent through company email.

The website contains one broad statement about transmission security that states, “A covered entity must implement technical security measures that guard against unauthorized access to e-PHI (electronic patient health information) that is being transmitted over an electronic network.”

The website states that a company must identify potential risks and have a plan to reduce or eliminate those risks. There must be a security official within the company to implement policies and train employees on them.

Sweetser did not say whether or how long it would monitor the 22,000 clients' information for misuse. Sweetser clients can call 1-833-444-4458 about information that might have been accessed.


Comments (1)
Posted by: Kevin Riley | Nov 10, 2019 09:23

"Sensitive client information was hacked through two Sweetser employee email accounts"

Meaning someone within the organization opened a link or code in an email that launched the malware package.  This is very much a security training issue. The bad guys don't "hack" through firewalls. That takes far to much time and resources.
As with what happened here they delivered the malware package/link through an email. That only requires the user to click the package or link and invite the malware to their computer (client) where it then launches or downloads the package and the damage is done. it gets invited which typically bypasses Firewall protections.
If you don't properly train your employees to recognize these types of emails this kind of thing will just keep happening. This is getting harder because the ad guys are getting beer at what they do.
Then there is your email service provider.  What are they doing to be more proactive in protecting their clients?
Is the Firewall in house or at their ISP? Is it up to date Does the Firewall sniff email? Is the path for the email service provider even sniffed by the Firewall.
Finally they can be very thankful it was not ransomware.

This is not going to end. This is in fact the new normal for the cyber criminal element and it is only going to get worse.
The bottom line, corporations need to better train their employees to recognize phishing emails and what to do once they do recognize them.
I just retired and spent about 20 years of my working life as an IT contractor for the DOD. We had four online security courses for DOD and typically three for the companies I worked we to take every year.
For the firms I worked for causing a cyber intrusion would be an escort-able offense and for DOD lose of your security clearance. You would be walked out that day.
I know that's harsh but in our case it's national security.
In corporate America it's lose of productivity, data, trust, income and a host of other problems. Rasonware can put a company out of business. 
As a TV cop used to say, "lets be careful out there"

If you wish to comment, please login.