Community Psychiatric Clinic responds to incident involving unauthorized access to Office 365 accounts

• The event may have affected the personal and protected health information of its clients and staff members.
• All the potential unauthorized access for each of the impacted mailboxes was through Outlook Web Access.

Community Psychiatric Clinic (CPC), that provides health treatment and counseling services throughout Seattle and Kings County, has detected and responded to a security incident recently. The event may have affected the personal and protected health information of its clients and staff members.

What happened?

On or about March 12, 2019, CPC became aware of a potential data breach involving unauthorized access to one of its employee’s Microsoft Office 365 email account. Upon discovery, the firm immediately changed all passwords associated with Office 365 accounts and restored the employee’s hard drive. CPC had also implemented additional security measures on the employee’s account to prevent any similar attacks in the future.

Despite the mitigation measures, CPC had detected another similar incident of unauthorized access to the account on May 8, 2019. This time another employee was targeted to engage in a fraudulent wire transfer of funds. However, due to the early detection by CPC, the hacked account was immediately restored and all funds were recovered. At the time of the second attack, the firm had also changed the passwords of the email accounts associated with Office 365.

What did the investigation conclude?

The external forensic investigation concluded that two accounts were potentially compromised by hackers. All the potential unauthorized access for each of the impacted mailboxes was through Outlook Web Access. However, the external investigation confirmed that there no sign of data exfiltration.

There was also no sign of access to CPC servers or workspaces beyond the access to the Office 365 accounts.

How did CPC respond?

CPC undertook a comprehensive manual review process to identify the specific individuals whose personal and protected health information was available in the impacted mailboxes.