Texas Mental Health Center HackedData on More Than 11,000 Patients Exposed
A recent hacking incident affecting more than 11,000 mental health patients in Texas is a reminder of the risks cyberattacks pose to individuals' most sensitive data.
Emergence Health Network, a not-for-profit organization providing services to patients with mental health issues and intellectual disabilities in El Paso county, says in an Oct. 16 statement that it discovered in August that one of its computer servers was compromised "through an unauthorized Internet connection" that might have begun as far back as 2012.
A third-party analysis of the incident determined that data was not copied or exfiltrated, an EHN spokeswoman tells Information Security Media Group. Also, the analysis determined that the organization was likely not the target of the hackers, but rather a "gateway" to another unidentified target, she adds.
While EHN says it doesn't believe medical record information was exposed in the cyberattack, the fact that the exposed data included names of patients seeking mental health services presents a serious privacy concern for affected individuals, says Tom Walsh, founder of consulting firm tw-Security.
"Any privacy breach is worrisome. However, when the breached information is linked to sensitive types of treatments or diagnosis such as mental health and intellectual disabilities, it makes event potentially more damaging," Walsh says. "Events like this may cause individuals to choose not to seek help for fear of the repercussions or harm if that information is ever leaked. All it takes is a person's name connected to a mental healthcare facility to damage a person's reputation."
The breach, which was reported on Oct. 16 to the U.S. Department of Health and Human Services, exposed information on about 11,200 patients, the EHN spokeswoman says.
The incident was recently posted on HHS' Office for Civil Rights "wall of shame" website listing health data breaches affecting 500 or more individuals.
In a notification letter being sent to affected individuals, the organization says: "EHN became aware of strange activity on one of our computer servers on August 18, 2015. Someone, without permission from EHN, accessed the computer server through an Internet connection. Because of the Internet, the person or persons could have accessed this computer server from any location. A computer specialist inspected the computer server and found out that the first unapproved access of the server may have happened back in 2012."
The information stored on the server included patients' first and last names, addresses, dates of birth, Social Security numbers, case numbers and information indicating that the individual accessed services from EHN or Life Management Center El Paso, the entity's previous name. "We are confident that no medical records were contained within the server," the notification letter states.
In a statement, Kristi Daugherty, CEO of EHN, says the organization is working to communicate with any individuals who may have been affected by the data compromise and to respond to any questions or concerns through a hotline and email service. "EHN works hard to protect the privacy of our consumers and to provide the highest level of service," she says. "We have already taken additional security steps to reduce any future risk."
Upon discovery of the breach, "the affected computer server was disabled to minimize a compromise," the notification letter says. In addition, EHN has taken other steps to beef up its information security, including its firewalls, and it implemented third-party monitoring "to put another set of eyes on our security," the spokeswoman says.
EHN will provide free credit monitoring to affected individuals on a case-by-case basis, she adds.
Lack of Resources
While mental health services providers handle some of patient's most sensitive data, many of those organizations, including non-profit and county-funded centers, often lack resources to effectively protect that information, says Walsh, the security consultant.
"Some smaller organizations assume more risks because they lack the skilled staff or budget to implement technologies that could further reduce their risks," he says. "Unfortunately, county-run health services are often working with tighter budgets each year. Information security may not be a high priority. Over the years, I have found that county mental health staff are dedicated to their patients. [But] security, HIPAA and information technology are not as high of a priority. "
Walsh stresses that "mental health facilities owe it to the people they serve to secure the data by implementing adequate security controls. Obviously, hindsight is 20/20. There is always something more that organizations can do to improve their security posture."
The hacking incident at EHN was discovered shortly after many other organizations in the healthcare and government sectors, including Anthem Inc. and the U.S. Office of Personnel Management, were targeted by hackers.
"Realistically, it is challenging for any organization to prevent a targeted attack," Walsh notes. "If the federal government - with its resources - cannot prevent hacks, what chances do smaller organizations have?"