Data Breach Affects 300,000 Mental Health Clinic PatientsLargest Breach of Its Kind So Far This Year
A recent data breach at a Colorado-based mental health clinic that exposed data on nearly 300,000 individuals is the latest of several in the mental health sector this year.
See Also: HIPAA Audits: A Revised Game Plan
Colorado Springs-based AspenPoint Inc., which offers inpatient and outpatient services ranging from substance use disorder treatment to psychiatric assessments, on Nov. 19 reported the hacking incident to the U.S. Department of Health and Human Services.
The AspenPointe incident appears to be the largest breach involving a mental healthcare provider posted so far in 2020 on the HHS Office for Civil Rights' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Among the other breaches reported this year that involved mental health providers are two incidents affecting a combined total of more than 62,000 individuals reported in October by Centerstone of Indiana and Centerstone of Tennessee, which are part of the same organization.
"Historically, mental health records have been recognized as highly sensitive," notes Kate Borten, president of privacy and security consulting firm The Marblehead Group. "Unauthorized release of the patient information can significantly impact a person's life."
Privacy attorney David Holtzman of the consulting firm HITprivacy adds: "The information compromised through the security incidents involving behavioral health and substance abuse treatment providers is especially sensitive because it can expose the individuals whose data was disclosed to significant financial fraud or harm to their reputation."
In a breach notification statement posted on its website, AspenPointe notes that it experienced "a cyberattack on our technological infrastructure" in late September. "The severity of this attack forced us to close the majority of our operations for several days, and we immediately launched an investigation into its origin."
As a result of AspenPointe's investigation and document review, which concluded Nov. 10, the clinic discovered that individuals' full names and one or more of the following were removed from its network: dates of birth, Social Security numbers, driver's license numbers, and/or bank account information, the statement says.
"To date, we are not aware of any reports of identity fraud or improper use of your information as a direct result of this incident," AspenPointe says in the notification to patients.
AspenPointe did not immediately respond to Information Security Media Group's request for additional details about the breach, including whether ransomware was involved and whether any medical records were stolen.
The hacking incident at AspenPointe illustrates why mental health providers need to take extra security precautions, says Susan Lucci, senior privacy and security consultant at tw-Security.
"All mental health providers should ensure that enough attention and budget is given to their IT departments to ensure the best security solutions are in place, including intrusion detection, and tighten up on endpoint security for all users," she says.
"Endpoint security is critical at a time when so many people are working remotely and treatment services are being provided remotely."
All members of the workforce need to be "informed on the latest threats to healthcare data," she adds. "This means specific content in periodic reminders that are reflective of the types of attacks that are being levied against healthcare providers."
Mental healthcare organizations and others need to limit access to sensitive data to only those with appropriate roles, Holtzman stresses.
"Do not create unnecessary or duplicative collections of sensitive PII, including information stored on backup servers, network drives or unencrypted drives or applications," he says. "Securely delete electronic files containing sensitive PII that is no longer needed wherever it is stored."
Some mental health and substance disorder treatment centers that participate in certain federal healthcare programs also must comply with the federal Confidentiality of Substance Use Disorder Patient Records - or 42 CFR Part 2 privacy regulations - which include provisions such as special consent requirements for how healthcare providers can share patient information.
"While the HIPAA Privacy Rule generally limits use and disclosure of PHI to those who have a need to know, 42 CFR Part 2 is much more stringent," Holtzman notes. "It sets limited circumstances under which mental health or substance abuse treatment data patient information may be used, disclosed or re-disclosed. And the majority of disclosures require written consent."
In addition, the Coronavirus Aid, Relief and Economic Security Act - commonly known as the CARES Act - passed by Congress in March "amended sections of the Part 2 authorizing statute requiring HHS to enhance the enforcement for unauthorized disclosures of behavioral health and substance abuse data as well as add breach reporting requirements," Holtzman notes.
These amendments will align Part 2 more closely with HIPAA and extend the HIPAA civil monetary penalties and breach notification provisions to Part 2 programs, he says. "However, HHS has not issued regulations needed to put these new protections into place and has not indicated when it plans to do so."
Many mental healthcare entities are relatively small and lack security expertise and resources, Borten points out.
"There can be a disconnect between stating a patient privacy commitment and day-to-day behavior," Borten notes. "Across healthcare, even many years after HIPAA enforcement began, there can be lax compliance, for example, in casual conversations with colleagues and even family and friends."