Update of April 24: On April 21, BHC reported this incident to HHS as impacting 4,229 patients.
In what may be the worst breach of 2017 so far in terms of highly sensitive and confidential patient records, a behavioral and mental health center in Maine recently learned that its patients’ records – including evaluations, session notes, and records of sex offenders and sex abuse victims – had not only been in the hands of one criminal, but had reportedly been sold to an unknown party for unknown purposes.
An ad placed on a dark web forum on March 18, began:
From a psychiatric practice with not-so-great network security. DETAILED information on each patient including:
- Name, address, phone, employer
- SSN, DOB, race, primary care physicians
- Complete family history, substance use history, legal history, psychiatric and medical history
- COMPLETE DETAILED notes on EVERYTHING discussed in therapy sessions
These are not just basic fullz, these are the COMPLETE clinician notes from EVERY session with a patient, sometimes spanning hundreds of sessions over years. Everything confessed/discussed in complete privacy is in here for thousands of patients. All records are from 2007 to current date.
In a subsequent post, the seller clarified:
Also, while there are 4500+ patient records, some of the records are for the same person subsequently relapsing back into treatment. I’d estimate there are 3000-3500 unique individuals represented across those 4500+ records.
From other comments the seller made, it appeared he might have obtained more than just patients’ records:
These are for sale, all of them or nothing. I don’t have the time or interest to sell a few here and a few there. Just name/address/DOB/SSN for one person goes for $3/each, and this is SO MUCH more. Just use them for individual fullz, sell them back to the clinic they came from (they have a $4MM insurance policy to cover malpractice, errors and omissions, etc so that may cover this for all I know), or who knows what you could do with complete confidential medical/substance/psychiatric histories on everyone from bank presidents to garage mechanics.
By the following Monday, the seller updated the listing with one word: “SOLD.”
The selling price was not indicated, but the seller had indicated that he would not accept offers less than $10,000.00 for everything. The seller did not respond to an inquiry from this site about how he gained access to the files and whether he had any idea how the unidentified buyer intended to use the data. In fact, because this was a forum listing with no public replies, it was not possible for this site to confirm that the files had actually been sold.
From a redacted sample the vendor had provided, however, it was possible to determine that the sample file came from Behavioral Health Center in Bangor, Maine.
DataBreaches.net, who had not become aware of the listing until after the sale was presumably concluded, contacted BHC on Sunday, March 26 to alert them to the listing and claimed data acquisition. Their emergency call service contacted them, and within one hour, the owner of the center called me back.
DataBreaches.net delayed reporting the incident publicly to give BHC a chance to initiate incident response.
Via an email communication today, William Donahue of BHC informs DataBreaches.net that following our communication, BHC immediately initiated an investigation. They are currently working with a forensic IT team to identify the extent of the breach and to identify those who need to be notified. They are also working with legal counsel to address the situation and to fulfill any notification obligations under applicable state and federal laws.
Donahue, a licensed clinical social worker, also wrote, “As a health care provider and owner of a practice in the behavioral health field, I share your zealous interest in ensuring that the behavioral health information of the clients of this practice be maintained and preserved in a confidential and secure manner.”
Having spoken with him, DataBreaches.net has no doubt of his commitment and concern. I wish Mr. Donahue and his team the very best as they move forward to try to address and mitigate this breach, and will update this post if more information becomes available.