Business Associate Data Breach Exposes Burrell Behavioral Health Patient Data

Burrell Behavioral Health has revealed that a business associate’s error has compromised the data of 70,000 patients.

The error occurred in August 2018. The business associate, which renames unnamed, accidentally exposed images of Burrell Behavioral Health patients’ PHI. The error was attributed to a flaw in the business associate’s internet-facing portal.

The images contained information such as patient names, address, telephone number, birth date, gender, dates of service, types of service provided, health insurance information, driver’s license number, and Social Security number.

PHI can be used by criminals to commit fraud, and therefore any breaches of sensitive data such as this can have severe consequences for victims of the breach.

Burrell Behavioral Health became aware of the data breach on January 30, 2019. Burrell Behavioral Health notified its business associate about the data exposure, and the server was immediately secured.

Burrell Behavioral Health launched a forensic investigation into the breach. Investigators needed to determine precisely what information had been exposed during the breach, to which patient that information pertained, and whether any unauthorised individual gained access to the data.

The investigators failed to find evidence that an unauthorised third-party accessed the information. Furthermore, automated ‘website crawlers’ and scanners, which criminals use to try to gain information that may be accidentally exposed such as this, had not accessed the information. Importantly, investigators concluded that it would not have been possible for the information to be accessed through general web browsing or internet searches due to the particular format of the images uploaded.

Consequently, the investigators concluded that there is a “very low probability” of an unauthorised individual accessing the data. However, due to the potentially severe consequences, if they were mistaken, all patients whose Social Security number has been compromised as a result of the breach have been offered complimentary identity theft monitoring and protection services.

Burrell Behavioral Health has taken steps to prevent any further breaches of this nature from occurring and is working with its business associates to ensure they have adequate technical and administrative safeguards in place to ensure the confidentiality of patient information.

Darren Johnson, Burrell vice-president of information technology, said, “effective security program, but we are continuing to evaluate and implement additional administrative, technical and physical safeguards to protect (private patient data).”

Following HIPAA’s Breach Notification Rule, breach notification letters have been sent to the 67,493 patients affected by the breach.