Burrell Behavioral Health ("Burrell Behavioral") sent letters to clients informing them that a business associate’s Internet-facing portal, which contained electronic images of Burrell’s protected health information (“ePHI”), was improperly secured and potentially permitted access to unauthorized individuals. The ePHI was loaded on the server in August, 2018 and contained medical record information which could include one or more of the following: name, address, telephone number, date of birth, gender, date of service, type of services, insurance information, driver’s license number, and social security number.
Upon discovery, Burrell immediately contacted its business associate to shut off portal access and launched an investigation. Computer forensics experts determined that there was a very low probability that any information was actually accessed; there was no evidence that any unauthorized individuals or automated website crawlers or scanners had accessed the ePHI, and the ePHI was formatted in a manner that did not allow access through general internet searches or casual internet browsing.
Identity monitoring and protection services will be offered free of charge, as appropriate, for individuals whose social security number has been compromised by this incident. Affected individuals, or those who want to know whether or not they were affected, may call 1-(855) 571-5874, Monday through Friday, 8 a.m. to 5 p.m. CDT beginning Wednesday, April 3, 2019.
Concerned individuals may wish to obtain a free credit report from each of the credit reporting bureaus – Equifax, Experian and TransUnion. The credit bureaus’ information is below:
Equifax: 888-298-0045, www.equifax.com
Experian: 888-397-3742, www.experian.com
TransUnion: 800-680-7289, www.transunion.com
“We value the privacy and security of patient protected information and we are committed to protecting the confidentiality and privacy of our patients,” said Darren Johnson, Vice President, Information Technology for Burrell. “It is our priority to support those who have been affected.”
“We are taking the necessary and appropriate steps to prevent this type of incident from occurring in the future,” Johnson said. “We have an effective security program, but we are continuing to evaluate and implement additional administrative, technical and physical safeguards to protect ePHI. We are working with all of our business associates to ensure all ePHI is appropriately secured, and that additional technical and administrative safeguards are implemented to permit the secure transition of paper medical records to electronic form.”