WV: Prestera Mental Health Center reports an incident — but is it really a new one?
On July 20, Prestera Mental Health Center posted a notice about what they describe as a “recent” incident. Their notice, which has been picked up by other sites, states, in part:
“What Happened? On or about April 1, 2021, Prestera Center discovered that information related to certain individuals was potentially accessible to an unknown actor in or about August and September 2020. This incident involved unauthorized access to certain email accounts used by Prestera Center employees. While our investigation was able to confirm access to certain employees’ email accounts, the investigation was unable to rule out access to any emails or attachments contained within those email accounts. Therefore, out of an abundance of caution, a review of the entire contents of the impacted email accounts was conducted to identify emails or attachments containing personal information.
The notice does not indicate the number of people impacted, and the incident is not on HHS’s public breach tool — or at least, not yet. Or is it?
On December 31, 2020, Prestera reported an incident to HHS that reportedly impacted 3,708 patients. They also issued a notice at that time which is still on their web site. That notice describes an email incident. It does not state when it occurred or how many employee accounts were involved, and so we cannot tell if this new report related to the same incident reported in December of 2020 or not. Did Prestera just subsequently discover more compromised accounts than they had discovered in 2020? Is this really an update to a prior report or it really a separate incident? The December, 2020 report is still an open investigation on HHS’s public breach tool.
DataBreaches.net reached out to Prestera on July 23 through their web site to ask whether the newest report was the same incident originally reported in December or not. No reply has been received, but DataBreaches.net will update this post if an explanation or reply is received.
In the 2020 report, the type of data involved was described as
patient names, dates of birth, medical record and/or patient account numbers, diagnostic information, healthcare provider information, prescription and/or treatment information and, in some instances, addresses, social security numbers and Medicare/Medicaid ID numbers. The exact elements of personal information that were affected as a result of this incident varied per individual.
In the July, 2021 report, the type of data involved has been described as:
names, addresses, dates of birth, state identification card numbers, Social Security numbers, financial account information, medical information, or health insurance information, was contained within at least one of the impacted email accounts. Please note that the information varies by individual and for many individuals, a limited number of data types were determined to be accessible.