[BreachExchange] 67, 000 Patients Impacted by Business Associate Breach from August 2018

Tue Apr 2 09:22:21 EDT 2019

https://healthitsecurity.com/news/67000-patients-impacted-by-business-associate-breach-from-august-2018

Springfield, Missouri-based Burrell Behavioral Health is notifying
67,493 patients that their medical data was potentially breached in
August 2018, after its business associate left a server containing
ePHI exposed to the internet.

According to the notice, officials said the business associate’s
internet-facing portal containing electronic images of Burrell’s
protected health information was improperly secured, which potentially
allowed access to unauthorized individuals.

In August 2018, the data was uploaded onto the server, which included
a trove of patient data including names, addresses, phone numbers,
dates of birth, dates and types of service at Burrell, insurance
details, driver’s license numbers, and Social Security numbers.

Officials said they contacted the business associate as soon as the
error was discovered to ensure portal access was shut off to the
public. However, the notification did not explain when the error was
first discovered, nor how long the misconfigured database was left
open to the internet.

An investigation determined there was no evidence any individuals or
automated web crawlers or scanners accessed the patient data. Further,
“the ePHI was formatted in a manner that did not allow access through
general internet searches or casual internet browsing,” officials
said.

Patients whose Social Security numbers were compromised by the
misconfiguration error are being offered a year of free identity
monitoring and protection services.

“We are taking the necessary and appropriate steps to prevent this
type of incident from occurring in the future,” Darren Johnson,
Burrell’s Vice President of Information Technology, said in a
statement. “We have an effective security program, but we are
continuing to evaluate and implement additional administrative,
technical and physical safeguards to protect ePHI.”

We are working with all of our business associates to ensure all ePHI
is appropriately secured, and that additional technical and
administrative safeguards are implemented to permit the secure
transition of paper medical records to electronic form,” he added.

This is Burrell’s second breach notification in the last two years.
The behavioral health provider fell victim to a cyberattack in July
2016, which compromised an employee email account. About 7,700
patients were impacted in the security incident.

Business associate-related breaches and misconfigured servers continue
to be a pain-point for the healthcare sector. The most recent – and
largest—- Wolverine Solutions Group, impacted the health data of more
than 600,000 Michigan residents, stemming from a September 2018
ransomware attack.

The key to managing business associates in healthcare is through
inventory and management, ensuring the strong contract holds vendors
accountable when a security incident occurs. Annual risk assessments
are also a crucial part of vendor management.