15,500 Community Psychiatric Clinic Patients Affected by Three Cybersecurity Incidents

Community Psychiatric Clinic is notifying over 15,500 patients that their protected health information (PHI) may have been compromised in three recent security incidents.

Community Psychiatric Clinic (CPC) is a provider of mental health services based in Seattle, WA. On 12 March, 2019, CPC noticed suspicious activity on an employee email account. CPC immediately took steps to revoke unauthorised access by forcibly changing the passwords associated with the account and restoring the employee’s hard drive. An internal investigation was launched with concluded that the unauthorised individual had not exfiltrated any data from the account.   

A similar incident took place on May 8, 2019, when another employee’s email account appeared to have been accessed by an unauthorised individual. The hacker appeared to attempt to wire transfer funds to an account owned by the hacker. CPC took immediate steps to interrupt the process and all funds were recovered.

Forensic investigations were launched into both incidents with the hope that issues could be identified and resolved to prevent incidents like this from happening in the future.

The experts did not find evidence to suggest that the hacker altered, copied, or exfiltrated patient in either incident, but the possibility could not be ruled out definitively. As a result, CPC is sending breach notification letters to affected patients to encourage them to monitor their accounts carefully for signs of fraudulent activity.

Very little information is known about the third incident which is listed on the Department of Health and Human Services’ Office for Civil Rights’ breach portal. Three incidents were reported on August 15, 2019, affecting 3,030, 6,641, and 5,866 patients each, resulting in a total of 15,537 individuals affected.

Sound, a Washington provider of mental health and addiction treatment services, has recently announced it is combining its services with those of Community Psychiatric Clinic. The merger is expected to be completed in the fall of 2019.

No press releases appear to have been issued and there is no mention of the breaches on the Sound website.

HIPAA Journal contacted Sound requesting further information on the incident(s), but no response has been received to date.  Further information on the Community Psychiatric Clinic breach will be posted here as and when further information becomes available.