BreachExchange mailing list archives
67, 000 Patients Impacted by Business Associate Breach from August 2018
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 2 Apr 2019 08:22:21 -0500
https://healthitsecurity.com/news/67000-patients-impacted-by-business-associate-breach-from-august-2018 Springfield, Missouri-based Burrell Behavioral Health is notifying 67,493 patients that their medical data was potentially breached in August 2018, after its business associate left a server containing ePHI exposed to the internet. According to the notice, officials said the business associate’s internet-facing portal containing electronic images of Burrell’s protected health information was improperly secured, which potentially allowed access to unauthorized individuals. In August 2018, the data was uploaded onto the server, which included a trove of patient data including names, addresses, phone numbers, dates of birth, dates and types of service at Burrell, insurance details, driver’s license numbers, and Social Security numbers. Officials said they contacted the business associate as soon as the error was discovered to ensure portal access was shut off to the public. However, the notification did not explain when the error was first discovered, nor how long the misconfigured database was left open to the internet. An investigation determined there was no evidence any individuals or automated web crawlers or scanners accessed the patient data. Further, “the ePHI was formatted in a manner that did not allow access through general internet searches or casual internet browsing,” officials said. Patients whose Social Security numbers were compromised by the misconfiguration error are being offered a year of free identity monitoring and protection services. “We are taking the necessary and appropriate steps to prevent this type of incident from occurring in the future,” Darren Johnson, Burrell’s Vice President of Information Technology, said in a statement. “We have an effective security program, but we are continuing to evaluate and implement additional administrative, technical and physical safeguards to protect ePHI.” We are working with all of our business associates to ensure all ePHI is appropriately secured, and that additional technical and administrative safeguards are implemented to permit the secure transition of paper medical records to electronic form,” he added. This is Burrell’s second breach notification in the last two years. The behavioral health provider fell victim to a cyberattack in July 2016, which compromised an employee email account. About 7,700 patients were impacted in the security incident. Business associate-related breaches and misconfigured servers continue to be a pain-point for the healthcare sector. The most recent – and largest—- Wolverine Solutions Group, impacted the health data of more than 600,000 Michigan residents, stemming from a September 2018 ransomware attack. The key to managing business associates in healthcare is through inventory and management, ensuring the strong contract holds vendors accountable when a security incident occurs. Annual risk assessments are also a crucial part of vendor management. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- 67, 000 Patients Impacted by Business Associate Breach from August 2018 Destry Winant (Apr 02)