Health Recovery Services in Athens, Ohio, recently notified 20,485 patients after discovering in that an unauthorized IP address had accessed their network. The unauthorized access appears to have begun in November, 2018, and continued until the intrusion was discovered on February 5, 2019. Although investigation could not find any evidence that ePHI had been accessed, the investigators could not definitely rule access out, so HRS notified patients that their name, address, date of birth, and for those who became patients after 2014, diagnosis, insurance information and treatment information. In this case, the diagnostic and treatment info could be particularly sensitive, as HRS’s mission is to serve those affected with mental illness and alcohol, tobacco, and drug addiction.
A copy of their notification appears below.1888a8_26b6edf126d44baeb08126034cd90aa7