PHI Exposed in Allwell Behavioral Health Services and WellDyneRx Security Incidents

Allwell Behavioral Health Services based in Zanesville, OH, has reported that an unauthorized individual accessed a computer system employed to keep quality assurance data associated with the treatment of patients. The healthcare provider detected unauthorized access on March 5, 2022, with the following forensic investigation confirming the system breach on March 2, 2022.

The investigation into the breach ended at the end of April and confirmed that the files comprising sensitive data was potentially copied during the attack, though when sending notifications to impacted persons there were no reports received of any attempted or actual patient data misuse.

The types of data in the files differed from one patient to another and might have contained data like names, birth dates, Social Security numbers, telephone numbers, provider of treatment, treatment activity and date, treatment site, and payer details.

Based on the breach report published on the HHS’ Office for Civil Rights webpage, there were 29,972 patients impacted. Free identity theft protection services were provided to eligible people for one year, and for two years for affected patients in DC, CT, MA, or RI. Allwell Behavioral Health Services said its IT and computer systems were improved to boost security and avoid similar unauthorized access.

WellDyneRx Reports Email Account Breach

WellDyneRx, a pharmacy benefit manager, lately began informing 5,122 persons concerning an unauthorized person who acquired access to the firm’s email account that included sensitive patient data. WellDyneRx discovered suspicious activity in the email account last December 2, 2021, and took quick action to protect the account. The third-party forensic investigation stated that an unauthorized person accessed the account from October 30, 2021 to November 11, 2021.

There was no proof of data theft found, however, the probability of unauthorized access to ePHI cannot be excluded. The analysis of the email account showed that these types of data were possibly compromised: names, Social Security numbers, birthdates, driver’s license numbers, treatment data, medical insurance details, contact data, prescription details, and other medical/health data. Steps were taken to increase security to avoid the same attacks later on.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at