Cyber Incident Victim: Oakland Family Services

On July 14, 2015, an unauthorized individual remotely accessed an Oakland Family Services employee’s email account for 23 minutes through a phishing scam. The breach exposed personal information of approximately 16,000 clients who received mental health or substance abuse treatment between 2007 and 2015. Compromised data included names, addresses, telephone numbers, dates of birth, internal client ID numbers, health plan ID numbers, insurance numbers, dates of services, programs and types of services, and diagnoses. Social Security numbers were affected for 173 individuals. During the intrusion, the attacker sent a phishing email to all contacts in the compromised email account, none of whom were clients. No other Oakland Family Services employees responded to the fraudulent email. The organization stated it found no evidence that the intruder viewed or downloaded personal information and reported no instances of misuse related to the breach.

Oakland Family Services responded by securing emails older than six months by archiving them to a secure server, rendering them inaccessible through the compromised account. All employees received training on identifying and avoiding phishing scams. The organization notified all potentially impacted clients and offered those whose Social Security numbers were exposed a free year of identity theft protection and credit monitoring services. The breached employee’s account, which contained an unusually high volume of protected health information (PHI), was secured with multi-factor authentication to prevent future unauthorized access using only a password. The organization emphasized that the breach was confined to a single email account and reiterated its commitment to safeguarding client data in public statements and FAQs released on September 10, 2015.