2 Hacks Involving Mental Health Data Affected Nearly 400,000Includes Ransomware Attack on Social Services Provider, Email Hack on Behavioral Health Entity
Two hacking breaches - one at a non-profit provider mental health and substance treatment services and the other at a provider of behavioral health services - affected sensitive information of nearly 400,000 individuals.
The breaches include a 2022 ransomware attack on Lutheran Social Services of Illinois that affected nearly 184,000 individuals, and an email hacking incident affecting nearly 194,000 people involving North Carolina-based Mindpath Health.
Mental health and substance use disorder data are especially appealing targets for hackers, and also the subject of extra regulatory requirements in some states. That elevated risk isn't necessarily translating into heighted vigilance, warn security experts who cite evidence including the two latest hacks.
"It’s worthwhile to proactively consider how much super-sensitive PHI you have, and whether it’s being appropriately protected in consideration of the likely reaction if an incident occurs," says attorney Brad Rostolsky of the law firm Reed Smith.
Organizations should consider how much they need to retain that data in the first place, says attorney Linda Malek, head of Moses Singer's Healthcare and Life Sciences and Healthcare Privacy and Cybersecurity groups. "Entities should be practicing data minimization as a matter of course, whether or not required by law, to protect as much as possible against sensitive data exposure if in fact there is a hacking incident."
Entities that experience breaches involving ultra-sensitive data can also face particularly harsh reputational blowback. "Because of the stigma and delicacy surrounding behavioral health, providers stand to lose patient trust and possible legal action," says Kate Borten, president of privacy and consulting consulting firm The Marblehead Group.
LSSI Ransomware Incident
LSSI touts itself as Illinois' largest statewide provider of foster care services, as well as a provider of an array of other services. Those includes mental health services, alcohol and drug treatment, senior housing and residential programs for people with developmental disabilities.
A company breach report filed on Wednesday says it underwent ransomware incident affecting nearly 184,000 individuals.
The LSSI ransomware incident was discovered a year ago, on Jan. 27, 2022, according to the organization's own breach notification statement.
An internal investigation and review of affected data wasn't completed until December 28.
The types of information contained on the affected systems include names, dates of birth, Social Security numbers, financial account information, driver license numbers, biometric information, medical diagnosis and treatment information, and health insurance information, Lutheran says.
The Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website shows that LSSI reported on March 25, 2022 a HIPAA breach involving a hacking/IT incident and network server that affected 1,000 individuals.
An attorney representing LSSI did not immediately respond to Information Security Media Group's request for additional information about the incident, including whether the breach LSSI reported to HHS OCR in March 2022 was the same hacking incident as the ransomware breach it reported this week.
Mindpath Health Email Breach
Mindpath Health, an independent provider of outpatient behavioral health services in eight states, reported its email hacking incident to HHS OCR on Jan. 10 as affecting nearly 194,000 individuals.
The company's breach notice says the incident involved unauthorized access to two employee email accounts, one in March 2022 and the second in June 2022.
Affected data includes patient names, addresses, Social Security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.
"We have also taken proactive steps to enhance the security of all information to help prevent similar incidents from occurring in the future," a Mindpath Health spokesperson told Information Security Media Group.