PHI Exposed at Heart of Texas Behavioral Health Network Data Breach and Three More Security Incidents

Heart of Texas Behavioral Health Network Cyberattack

The Heart of Texas Behavioral Health Network (HOTBHN), previously known as the Heart of Texas Region MHMR Center, helps individuals and families that have intellectual and developmental disabilities. It reported the unauthorized access to the sensitive data of 63,776 people in a cyberattack.

HOTBHN detected the cyberattack on October 22, 2023 and shut down access to the network right away. A third-party forensic company investigated the incident to know the impact of the unauthorized activity. HOTBHN stated it did not find any evidence of misuse of patient information, but it affirmed the exposure of patient data to a third party. The exposed data differed from one person to another and might have included at least one of these data: first and last name, Social Security number, address, birth date, medical record number, medical insurance policy number, and health and treatment data.

HOTBHN stated it has evaluated and improved its technical safety measures to avoid the same incident later on and has informed the impacted persons and provided them with free credit monitoring services and identity theft protection services for one year. A threat group called DragonForce has professed to be behind the attack and says it extracted about 56 GB of information. HOTBHN was included on the DragonForce group’s data leak website, however the data is not presently accessible.

Email Account Breach at United Healthcare Services, Inc.

Accountable Care Organization, United Healthcare Services, Inc. Single Affiliated Covered Entity (UHS) submitted a data breach report to the HHS’ Office for Civil Rights that impacted 4,264 people. An unauthorized person acquired access to an Equality Health employee’s email account. The account access occurred from April 11, 2023 to April 12, 2023. Equality Health informed UHS regarding the breach on October 16, 2023. The evaluation of the exposed email account showed it contained these data: names, birth dates, addresses, genders, UHC member ID numbers, Medicare plan data, Medicare ID numbers, and primary care provider data.

As per UHS, the breach was caused by an employee mistake and a prior improper disclosure of patient data. In September 2020, a UHC staff sent member data to an Equality Health employee when trying to confirm if their primary care company was in Equality Health’s network. The data in the email should not have been included by the UHC employee. Both UHS and Equality Health did not know about the impermissible disclosure until recently. The investigation by Equality Health did not find any evidence of exposed data misuse.

The impacted people received notification letters and Equality Health has provided them with free credit monitoring services. The employee involved in the preliminary impermissible disclosure was provided extra training.

Coos Health and Wellness Cyberattack

The Coos, OR, Public Health Department, Coos Health & Wellness, sent notifications to 14,040 people about the exposure and potential theft of some of their PHI by unauthorized persons during a cyberattack in April 2023.

The provider detected the unauthorized activity in its system on November 28, 2023. The forensic investigation revealed that an unauthorized person acquired access to the system on or about April 28, 2023, and possibly stole some files. The file analysis showed on November 20, 2023, that the breached data included names, driver’s license numbers, Social Security numbers, state ID numbers, medical data, and medical insurance data. Notification letters have already been mailed to the impacted people with offers of free services through IDX for 12 months. Coos Health & Wellness stated it has enforced extra security measures to stop the same incidents later on.

Lost Device Reported by City of Homer Alaska

The City of Homer in Alaska has recently confirmed that the protected health information of 1,412 individuals was stored on a portable storage device that has gone missing. The device was used to assist the City with its data migration efforts, and it appears to have been misplaced. A thorough search was conducted but the device could not be located. The device contained a backup of medical information collected by the City in the course of responding to emergency medical service and transportation calls, which may have included Social Security numbers and/or dates of birth. City officials are unaware of any attempted or actual misuse of the exposed data.

2022 Harrisburg Medical Center Data Breach

Harrisburg Medical Center, which is associated with the Southern Illinois Healthcare network, has lately began informing 147,826 people about the compromise of some of their personal data and PHI. Notification letters regarding the Harrisburg Medical Center data breach were sent to the impacted people starting on December 12, 2023; nevertheless, the cyberattack was discovered one year before on December 23, 2022.

Based on the notification letter submitted to the Maine Attorney General, Harrisburg Medical Center found and averted the attack on December 23, 2022. A third-party cybersecurity company conducted a forensic investigation to find out the nature and scope of the cyberattack. The investigation revealed that PHI was compromised from December 19, 2022 to December 23, 2023, and at that time, files were extracted from its network.

Harrisburg Medical Center stated it performed an analysis of the documents affected and affirmed on August 24, 2023, which is 8 months following the attack’s discovery, that the files included names and Social Security numbers, together with some or all these data: birth date, diagnosis/conditions, laboratory test results, and prescription details. Some people may likewise have had their medical insurance data, state ID number/driver’s license, electronic signature, and/or financial account number compromised or stolen. It was not explained why it took another four months to send notification letters to the impacted persons.

Despite the data breach happening in December 2022 and PHI being affirmed as impacted on August 24, 2023, the HHS’ Office for Civil Rights breach portal still did not post the incident. The HIPAA Breach Notification Regulation says that breaches should be reported within 60 months of discovering the data breach.

Considering the long time it took to inform the impacted persons and the absence of transparency, patients were planning to file a lawsuit over the breach and data theft. Some law agencies have investigated the incident with filing class action lawsuits in view.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at