KENT COUNTY, Mich. — The personal information of approximately 59,000 current and former employees and clients of Kent County Mental Health Authority (Network 180) was exposed in a phishing attack on Network180 in October 2023.
The IT department was made aware of the situation on Oct. 18 when a Network180 user noticed some unusual activity on their email account.
According to IT, third-party forensic and cybersecurity experts were involved in the investigation and the situation was contained on the same day.
On Oct. 25, the forensic experts determined Network180 was the victim of a phishing attack by an unknown threat. The attack began when the individual clicked a link in a malicious email which affected their email account.
When the link was clicked, it allowed the attackers to access the user's email and credentials, bypassing security protections and multi-factor authentication.
The investigation revealed the attackers had access to the email account between Sept. 28 through Oct. 18 and could access and export data on the user's email account. The full extent of the information breached wasn't known until early December.
The personal information of Network180's current and former employees and current and former clients who used Network180 was involved in the attack.
The information leaked may have included full names and one or more of the following: date of birth, address, driver's license number (for a small number of individuals), full or partial Social Security Number, health insurance policy information (including Subscriber Number and designated insurer), medical information, other demographic information (i.e., race or gender) and in some cases, financial account of payment card numbers.
Users are advised to take necessary steps to protect their information.
"We have taken additional steps to strengthen the security of the environment and to ensure future incidents are unsuccessful, including hiring cybersecurity staff to proactively monitor our systems and implementing the recommendations of the forensics experts, including additional training of our employees and vendors. We do not believe any of the information that may have been accessed has been misused. Out of an abundance of caution, we are offering 12 months of free credit monitoring services.
We take the protection of personal information seriously and sincerely apologize to our employees and healthcare clients for any concern this incident may have caused," Mary Ann Sabo, a spokesperson for Network 180 said.
Network180 has taken additional steps to strengthen the security of the IT environment to prevent future attacks. To ensure this, they hired cybersecurity staff to monitor Network180's systems and implement recommendations from forensics experts.
Network180 is also offering individuals whose sensitive information may have been involved in the incident complimentary credit monitoring services for 12 months at no charge.
Letters were mailed beginning Dec. 22 to those affected.
If you believe you are affected by this incident and did not receive a notification letter by March 21, 2024, call Experian at 1-833-713- 9013, Monday through Friday 9 a.m. – 11 p.m. EST, Saturday and Sunday 10:00 a.m. – 7:00 p.m. CST (excluding major holidays).
Provide this engagement number to the Experian operator: B112415 (adults) or B112416 (minors).
►Make it easy to keep up to date with more stories like this. Download the 13 ON YOUR SIDE app now.
Have a news tip? Email news@13onyourside.com, visit our Facebook page or Twitter. Subscribe to our YouTube channel.
Watch 13 ON YOUR SIDE for free on Roku, Amazon Fire TV Stick, Apple TV and on your phone.