Prestera Center for Mental Health Services, West Virginia’s biggest behavioral health services provider, became aware that an unauthorized person potentially obtained access to the protected health information (PHI) of a small number of its present and past patients.
An unauthorized person got access to Prestera Center’s business email account that stored patients’ PHI including names, birth dates, patient account numbers, medical record numbers, diagnostic data, prescription details, treatment data, and healthcare provider data. The addresses, Social Security numbers, and Medicare/Medicaid numbers of some patients are also stored in the email system.
Prestera Center got a third-party vendor to help with the investigation to find out if the unauthorized person viewed or obtained any PHI during the data security incident. According to the service provider, there was no evidence uncovered that show any sign or actual misuse of patient data. However, considering that there was potential viewing or acquisition of PHI, Prestera Center offered the affected persons free credit monitoring and identity theft protection services.
Prestera Center already took the following steps to strengthen its security: used multi-factor authentication on all its accounts, fortified its cybersecurity facilities, replaced its firewall with a better one, updated policies and guidelines, and provided its employees with an extensive HIPAA training program.
Data Breach at Mattapan Community Health Center
Mattapan Community Health Center (MCHC) based in Massachusetts is informing some of its patients regarding the potential access of some of their PHI by an unauthorized person who got access to the email account of an employee.
The center noticed strange email activity in the employee’s email account on October 16, 2020. With the help of a third-party security company, MCHC learned that someone accessed the email account from July 28, 2020 to October 15, 2020. A look into the email account showed that it held some sensitive information that the unauthorized person might have viewed or obtained.
The data contained in the account differed from one person to another, but could have included the names of patients, their medical diagnoses, treatment data, provider details, medical insurance data and/or medical record numbers and Social Security numbers,.
According to MCHC, there is no evidence found that suggest any actual misuse of patient information or any attempts of it. Since the email breach, MCHC has put in place extra security measures to avoid breaches later on.