Posted On October 5, 2022 Consumer Privacy & Data Breaches
On October 4, 2022, Columbia River Mental Health Services filed notice of a data breach with the Montana Attorney General after the company learned that an unauthorized party gained access to employee email accounts for a period of more than a year. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, Social Security numbers, driver’s license numbers, financial account information, medical information, health insurance information, usernames and passwords, and dates of birth. After confirming that consumer data was leaked, CRMHS began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the CRMHS data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Columbia River Mental Health Services.
The available information regarding the Columbia River Mental Health Services breach comes from the company’s filing with the Montana Attorney General’s Office. According to this source, CRMHS recently detected suspicious activity within several employee email accounts. In response, the company launched an internal investigation with the assistance of a third-party forensic firm to identify the nature and scope of the incident, as well as whether any employee or patient data was compromised.
The CRMHS investigation confirmed that an unauthorized party had indeed gained access to the affected email accounts on May 14, 2021, and that the unauthorized access lasted until April 8, 2022. The investigation also revealed that the emails and attachments which were accessible to the unauthorized parties included highly sensitive consumer information.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Columbia River Mental Health Services began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, Social Security number, driver’s license number, financial account information, medical information, health insurance information, username and password, and date of birth.
On October 4, 2022, Columbia River Mental Health Services sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Columbia River Mental Health Services is a healthcare provider based in Vancouver, Washington. The company provides a wide range of mental health services to adults and children, including adult outpatient services, child and family services and addiction treatment. Columbia River Mental Health Services employs more than 262 people and generates approximately $16 million in annual revenue.
In the notice provided to victims of the recent data breach, Columbia River Mental Health Services explains that the incident was the result of an unauthorized party gaining access to several employee email accounts. There are a few tricks hackers use to get access to employee email accounts, most email-based cyber attacks involve phishing attacks.
Phishing is a type of cyberattack where a hacker sends an employee of a company an email hoping to get them to provide the hacker with access to the employer’s computer network. Of course, hackers disguise their attempts by sending phishing emails from a seemingly legitimate source. And phishing emails are designed to look official. For the most part, hackers are very skilled at creating fraudulent emails, and may use the correct company logo and will even use a very official-sounding email address.
In a phishing email, hackers take one of two approaches; they either try to trick the employee into giving them information or click on a malicious link. The hacker does this by relying on principles of social engineering to make the employee believe as though they should go ahead and do what the email suggests without the need to confirm their decision with management. For example, a phishing email might ask for an employee’s login information in an email explaining that someone attempted to access the employee’s email account and now the employee needs to “sign in” to change their password. However, in reality, this is just a trick.
The other approach is to include a malicious link in the email that, when clicked, takes the employee to a totally unrelated website that, again, appears to be legitimate. In some cases, hackers will attach malicious files to an email, asking the employee to download the file.
According to the Identity Theft Resource Center, a third of all cyberattacks in 2021 were phishing attacks, making them the single most common type of cyberattack. In part, this is because phishing attacks are among the easiest to carry out and have an incredibly high success rate. For example, according to a study from 2021, employees in the United States receive 14 malicious emails per year on average. However, employees in certain industries, such as retail workers, receive more than four times that number. Perhaps the most shocking statistic about phishing attacks is that 86% of companies reported having at least one employee click a phishing link in 2021.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the CRMHS data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Columbia River Mental Health Services (the actual notice sent to consumers can be found here):
Dear [Redacted],
Columbia River Mental Health Services (“CRMHS”) is providing notice of a recent data privacy event that may have affected certain personal information. The confidentiality, privacy, and security of information is one of CRMHS’s highest priorities and CRMHS takes this matter seriously.
What Happened? CRMHS recently became aware of suspicious activity related to certain CRMHS email accounts. CRMHS immediately launched an investigation, with the assistance of third-party forensic specialists, to determine the nature and scope of the activity. CRMHS’ investigation determined that there was unauthorized access to certain email accounts from May 14, 2021, to April 8, 2022. CRMHS began reviewing the affected accounts to determine what, if any, sensitive information was contained within them. CRMHS is providing this information in an abundance of caution, as the investigation cannot confirm that information relating to specific individuals was actually accessed. On August 26, 2022, CRMHS’ review confirmed the scope of the information at risk and to whom that information related.
What Information Was Involved? The information impacted by this event varied by individual but may include certain individuals’ names, addresses, Social Security numbers, driver’s license numbers, financial account information, medical information, health insurance information, username and password, and date of birth.
How will individuals know if they are affected by this incident? CRMHS is mailing notice letters to the individuals whose protected information was affected by this event, and for whom we have a valid mailing address. If you do not receive a letter but would like to know if you are affected, you may call the assistance line listed below.
What You Can Do. CRMHS encourages individuals to review the information below related to “Steps Individuals Can Take to Help Protect Against Identity Theft and Fraud,” which provides detail on how to better protect against possible misuse of information. Affected individuals can find guidance in the letters being sent to them.
For More Information. Individuals who may have questions about the incident, may contact 888-689-1152, Monday through Friday from 9am to 9pm ET.
