Cyber Incident Victim: Kent County Community Mental Health Authority

On October 28, 2018, Kent County Community Mental Health Authority, operating as Network180 in Michigan, received a series of well-disguised phishing emails impersonating a trusted source. Between November 2 and November 13, 2018, the organization determined that three staff members had fallen victim to the scheme, resulting in unauthorized access to their encrypted email accounts. Network180 initiated an internal investigation led by its HIPAA Privacy Officer, HIPAA Security Officer, IT Department, and legal counsel to assess the scope and impact. The breach exposed protected health information of 2,284 patients, though investigators could not confirm whether attackers actually viewed or accessed the compromised data. Exposed information categories included names, addresses, dates of birth, Medicaid/Medicare ID numbers, internal client identifiers, and in 20 cases, Social Security Numbers. Educational affiliations, provider names, racial/ethnic information, and relative names were also potentially compromised.

Network180 concluded the breach was not preventable despite existing safeguards but implemented remedial measures including mass password resets across email accounts and verification that no additional accounts were compromised. The organization emphasized no financial information was exposed and stated no evidence suggested elevated identity theft risk for affected individuals. As a precautionary measure, Network180 offered one year of complimentary identity protection services through Experian to impacted clients. Notification of the incident was publicly posted on their website, accompanied by customer service contact options for concerned individuals. The investigation determined the phishing attack specifically targeted encrypted email accounts rather than broader network systems, with containment efforts focused on securing email access points and enhancing anti-phishing defenses.