A breach at Health Recovery Services has compromised the protected health information (PHI) of over 20,000 patients.
Based in Athens, Ohio, Health Recovery Services is a provider of alcohol and drug addiction services. On February 15, 2019, a staff member at the facility noticed suspicious activity on the organisation’s network. Health Recovery Services immediately launched an investigation into the breach. The resulting report was published on April 5th, 2019.
The report stated: ‘On March 15, 2019, our third-party forensic expert determined that the unauthorised access to our network occurred from November 12, 2018, until its discovery on February 5, 2019.’
The investigators discovered that an unauthorised IP caused the breach addressed intruded on their network. Health Recovery Service’s network and information were taken offline to revoke access from the unauthorised individual. A third-party computer forensics firm was contracted to assist with the investigation into the scope of the breach and asses its potential consequences.
Cybersecurity experts have rebuilt the network to ensure that it is fully secure and that the unauthorised individual no longer has access.
The investigators did not uncover evidence that indicates the unauthorised individual accessed or downloaded patient information. However, they were unable to rule out the possibility that this occurred completely.
Following HIPAA’s Breach Notification Rule, notification letters have been sent to all affected patients ‘out of an abundance of caution’.
The affected server held files which contained patient names, addresses, contact telephone numbers, and dates of birth. Patients who received treatment at Health Recovery Services after 2014 also had medical information, health insurance information, diagnoses, treatment information, and Social Security numbers exposed.
Health Recovery Services has completed a review of its policies, procedures, and cybersecurity measures to assess where improvements can be made. The facility intends to improve its cybersecurity safeguards to mitigate the risk of a similar data breach from occurring.
Health Recovery Services further intends to adopt policies that would limit the harm that can be caused should a further network server breach be experienced in the future.
The breach affected 20,485 patients.
This incident highlights the need for a robust cybersecurity framework to protect against malware attacks. Although Health Recovery Services has not offered information on the cause of this breach, it is possible that it can be attributed to an employee accidentally giving a hacker access to the network after being fooled by a phishing attack. Organisations of all sizes should provide adequate training to their staff on how to spot phishing emails and have to avoid becoming a victim of these campaigns.