Sunshine Behavioral Health Group based in Portland, OR provides business services to healthcare companies. The group reported a breach of its cloud-based system that stored patient medical records because of an accidental misconfiguration. Patient data could be accessed over the internet because of misconfiguration.
The group discovered the error on September 4, 2019 and promptly implemented access controls to keep unauthorized persons from accessing the records. On November 14, 2019, the group also took action to make the records inaccessible using the general internet.
It was confirmed on December 23, 2019 by Sunshine Behavioral Health Group that the cloud-based system contained a folder with information including names, addresses, debit/credit card numbers, security codes, expiry dates, and digital signatures of people who made payments for healthcare services.
The exposed information was associated with people who paid for medical services at the addiction treatment and rehabilitation centers of Chapters Capistrano, Monarch Shores, Mountain Springs and Willow Springs Recovery.
All people who had their information exposed received offers of 2-years free membership to MyIDCare protection services.
The HHS’ Office for Civil Rights breach portal hasn’t published the incident yet so it is unclear at this time how many people were affected.
Patient Information Stolen in Burglary at Lake County Behavioral Health
Lake County Behavioral Health located in Clearlake, CA reported its encounter of a break-in on December 5, 2019. Thieves took a locked filing cabinet that contains the health information of clients.
The information contained in the stolen records included patient names, contact phone numbers, prescribed medicines, case numbers, appointment schedules, payments, and amounts owed. One file also included a patient’s birth date, medical history, Social Security number, disability status, income verification details, history of substance use, and Medi-Cal ID number.
Lake County Behavioral Health mailed notifications to all patients whose records were stolen and directed them to submit a fraud alert in the event of misuse of their information. All files that were not stolen have been transferred to a locked room within the facility that is equipped with an alarm system and 24-hour video surveillance. The Clearlake Police Department is still investigating the break-in but there are no arrests thus far.
PHI Breach at Jefferson Center for Mental Health
Jefferson Center for Mental Health provides mental health care and substance use services in a community in Colorado. Its Independence Corner facility in Wheat Ridge had a burglary on November 29, 2019.
The center discovered the burglary on December 2, 2019 and reported it to law enforcement. The perpetrators did not take any paperwork containing patient data, however, it is probable that the thieves viewed the personal and treatment data of 1,319 patients.
It is unlikely that there was unauthorized data access. However, patients were cautioned to keep an eye on their accounts. Jefferson Center for Mental Health is currently working on improving the physical security of its offices.