Data Breach at Kentucky Counselling Center Exposes 16,440 Files

Kentucky Counselling Center has announced that a data breach has resulted in the exposure of 16,440 patient data files. 

On January 4, 2019, a former employee notified Kentucky Counselling Center (KCC) that they had received an email containing a hyperlink which brought them to a database containing patient information stored on a file sharing service. KCC launched an investigation into the claim and concluded that one of their staff members accessed patient information and copied it to the file sharing service without authorisation to do so. This act amounts to a severe HIPAA violation.

The investigation revealed that the patient data was downloaded and stolen on December 6, 2018. The member of staff that KCC believes is responsible for the breach is no longer an employee of the facility. It is not known whether KCC fired the employee, or if they left of their own account.

Following HIPAA’s Breach Notification Rule, KCC sent breach notification letters to all patients affected by the breach. KCC explained in its breach notification letter that they have yet to uncover any evidence that the stolen data was used for nefarious purposes, and that they “do not believe the individual took the list to cause harm to individuals on the list”. 

Patient data has a high black market value, and those who have their data stolen in a breach are at a higher risk of becoming victims of fraud. Therefore, out of an abundance of caution, KCC is offering free credit monitoring services to affected patients for 12 months.

KCC revealed that the information stolen by their former employee included full name, address, date of birth, phone numbers, gender, marital status, employment status, insurance payor, insurance number, Social Security number, last and next appointment dates, and KCC clinician name.

Since the data breach, KCC has taken measures to improve their security framework and mitigate the risks of a similar insider data breach occurring in the future. These measures include implementing strong password requirements and using multi-factor authentication on its computer system.

KCC is one of the state’s largest behavioural health providers, offers counselling, psychiatry, suicide prevention and case management for children and adults. KCC has locations in Frankfort, Lexington, Richmond, Covington and London.

About Christine Garcia 1288 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at