MO: Burrell Behavioral Health notified more than 67,000 patients whose ePHI were exposed by business associate
On March 29, Burrell Behavioral Health published a news release about an unnamed business associate accidentally exposing ePHI of more than 67,000 patients back in August, 2018. Burrell’s notification, reproduced below, does not indicate when the problem was first detected nor how they learned of it, but it was they who notified their business associate to secure the portal access. Today, they said that there’s no evidence that any personal information was stolen.
This is the second time in the past two years that Burrell has disclosed an incident and claimed that there was no evidence that any data had been stolen. How long can their luck hold out?
This incident is not up on HHS’s breach tool as of the time of this posting.
SPRINGFIELD, Mo. (News Release) — Burrell Behavioral Health recently sent letters to clients informing them that a business associate’s Internet-facing portal, which contained electronic images of Burrell’s protected health information (“ePHI”), was improperly secured and potentially permitted access to unauthorized individuals.
The ePHI was loaded on the server in August, 2018 and contained medical record information for up to 67,493 individuals, which could include one or more of the following: name, address, telephone number, date of birth, gender, date of service, type of services, insurance information, driver’s license number, and social security number. Burrell will notify potentially affected clients via letter and by substitute notice posted on Burrell’s website.
Upon discovery, Burrell immediately contacted its business associate to shut off portal access and launched an investigation. Computer forensics experts determined that there was a very low probability that any information was actually accessed; there was no evidence that any unauthorized individuals or automated website crawlers or scanners had accessed the ePHI and the ePHI was formatted in a manner that did not allow access through general internet searches or casual internet browsing.
Identity monitoring and protection services will be offered free of charge, as appropriate, for individuals whose social security number has been compromised by this incident. Affected individuals, or those who want to know whether or not they were affected, may call 1-(855) 571-5874, Monday through Friday, 8 a.m. to 5 p.m. CDT beginning Wednesday, April 3, 2019.
“We value the privacy and security of patient protected information and we are committed to protecting the confidentiality and privacy of our patients,” said Darren Johnson, Vice President, Information Technology for Burrell. “It is our priority to support those who have been affected.”
“We are taking the necessary and appropriate steps to prevent this type of incident from occurring in the future,” Johnson said. “We have an effective security program, but we are continuing to evaluate and implement additional administrative, technical and physical safeguards to protect ePHI. We are working with all of our business associates to ensure all ePHI is appropriately secured, and that additional technical and administrative safeguards are implemented to permit the secure transition of paper medical records to electronic form.”
Concerned individuals may wish to obtain a free credit report from each of the credit reporting bureaus – Equifax, Experian and TransUnion. The credit bureaus’ information is below:
Equifax: 888-298-0045, www.equifax.com
Experian: 888-397-3742, www.experian.com
TransUnion: 800-680-7289, www.transunion.com