Community Psychiatric Clinic Announces Data Security Incident - Seattle, Washington

SEATTLE, July 29, 2019 /PRNewswire/ -- Community Psychiatric Clinic ("CPC") provides an array of accredited outpatient mental health treatment and counseling services throughout Seattle and Kings County.  CPC recently identified and addressed a security incident that may have involved personal information and/or protected health information of its clients and staff members.  CPC began providing notice to all individuals potentially impacted by this incident on July 26, 2019.  This release describes the incident, outlines the measures that CPC has taken in response, and advises potentially impacted individuals on steps they can take to further protect their information.

On or about March 12, 2019, CPC became aware of a potential data security incident involving unauthorized access to one of its employees' Microsoft Office365 ("O365") email accounts.  CPC immediately changed all passwords associated with the O365 account, and restored the employee's hard drive, thereby terminating all potentially unauthorized access on March 12, 2019.  CPC also implemented additional security measures on this employee's O365 account to prevent any similar incidents from occurring in the future.  Lastly, CPC undertook an internal investigation which did not identify any signs of data exfiltration.

On or about May 8, 2019, CPC became aware of a separate potential data security incident involving unauthorized access to another employee's O365 account when a malicious actor attempted to induce CPC to engage in a fraudulent wire transfer of funds.   As a result of CPC's immediate efforts to investigate and remediate this event, all funds were recovered.  CPC also immediately changed all passwords associated with the employee's O365 account, thereby terminating all potentially unauthorized access on May 8, 2019, and implemented additional security measures on the account to prevent any similar incidents from occurring in the future.  As a result of these events and in an abundance of caution, CPC undertook a comprehensive external forensic investigation of its entire O365 environment to determine the nature of the data security incidents and confirm that all potential unauthorized access had been terminated.

The external forensic investigation concluded that the O365 accounts referenced above, as well as two additional employees' O365 accounts, were potentially compromised.  CPC immediately undertook efforts to cease any potential unauthorized access on the two additional identified accounts by changing passwords and implementing additional security measures, thereby terminating all potential unauthorized access on May 29, 2019. 

All potential unauthorized access for each of the impacted mailboxes was through Outlook Web Access, significantly reducing the likelihood of large scale data exfiltration.  This was confirmed by the external forensic investigation, which did not identify any signs of data exfiltration.  The forensic investigation also did not identify any access to CPC's servers or workspaces beyond the access to the four O365 accounts via Outlook Web Access.

In continuing its thorough investigation, CPC also undertook a comprehensive manual review process to identify the specific individuals with personal information and/or protected health information contained in the impacted mailboxes, if any.  The forensic investigation and manual review process were completed on July 21, 2019.  Ultimately, the data security incidents described above may have resulted in unauthorized access to personal information and/or protected health information of current and former clients and employees of CPC.  Please note that it is entirely possible that an individual's personal information and/or protected health information may not have been compromised as a result of the incident.

Individuals who have received a notification or who believe that they potentially may have been impacted by this incident are invited to contact (877) 804-6420 between 9:00 a.m. and 9:00 p.m. Eastern Standard Time, Monday through Friday.  CPC understands the importance of protecting the personal information and protected health information maintained on its systems and deeply regrets any concern that this may have caused the potentially impacted individuals.

SOURCE Community Psychiatric Clinic