Email Security Breaches at Centerstone and Arkansas Otolaryngology Center

An unauthorized person had accessed the email account of an employee of Centerstone, which provides mental health and substance use disorder treatment services in Illinois, Indiana, Florida and Tennessee.

Centerstone detected strange activity in the email account and secured it right away. According to the investigation results, the unauthorized person had access to the email account from December 12, 2019 up to December 16, 2019. However, the investigators only confirmed on August 25, 2020 that the account contained protected health information (PHI).

The PHI of patients including names, birth dates, Social Security numbers, state identification card numbers, driver’s license numbers, medical diagnoses, treatment data, Medicaid and Medicare details, and medical insurance data was compromised in the breach, . The types of exposed information differed from one patient to another. Some employee data were also likely compromised.

Centerstone sent breach notification letters to affected patients on October 22, 2020 and gave additional information on how to minimize the danger of data misuse.

Centerstone stated that it invested $800,000 on IT security infrastructure subsequent to the breach, which included new software programs and security devices. Third-party security experts are conducting a security review and gap evaluation to determine any other areas that need improvement in security. Policies and procedures are likewise being re-evaluated and more training on IT security is given to the employees.

Based on the breach reports sent to the Department of Health and Human Services’ Office for Civil Rights, the breach impacted 50,965 Centerstone patients in Tennessee and 11,638 Centerstone patients in Indiana.

Arkansas Otolaryngology Center Informs 12,000 Patients Concerning Email Breach

Arkansas Otolaryngology Center in Little Rock, AR is notifying 12,000 of its patients regarding an email security breach identified on July 17, 2020. An unauthorized person was found to have acquired access to an employee’s email account and was sending unauthorized messages through the account.

A third-party computer forensics firm helped Arkansas Otolaryngology Center confirm the compromise of four email accounts from July 17, 2020 to July 27, 2020. It was impossible to know if any email messages were subjected to unauthorized access while the unauthorized person had access to the accounts.

An evaluation of the compromised accounts’ emails and attachments showed that they contain the following types of PHI: names, birth dates, Social Security numbers, medical record numbers, diagnoses, physicians’ names, state identification card numbers, driver’s license numbers, insurance group numbers, locations of treatment, and treatment or procedure codes or types. The financial account details of some individuals were likewise exposed.

Upon uncovering the breach, Arkansas Otolaryngology Center did a complete password reset. Additionally, extra technical safeguards were put in place to avert more email breaches. People impacted by the breach also received offers of free credit monitoring services.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at