67,493 Patients of Burrell Behavioral Health Impacted by Business Associate Breach

Burrell Behavioral Health is notifying 67,493 patients that their medical records have been accidentally exposed as a result of an error made by an unnamed business associate in August 2018.

The error was introduced into the business associate’s internet-facing portal, which resulted in images of Burrell Behavioral Health patients’ protected health information being exposed. The images contained information such as: Name, address, telephone number, birth date, gender, dates of service, types of service provided, health insurance information, driver’s license number, and Social Security number.

The exposure of patient data was brought to the attention of Burrell Behavioral Health on January 30, 2019. Burrell Behavioral Health notified its business associate about the data exposure and the server was immediately secured.

A forensic investigation was conducted to determine which information had been exposed and whether it was subjected to unauthorized access. The investigation revealed patient information was uploaded to the server in August 2018. No evidence was uncovered to suggest that anyone had accessed the information and neither had automated website crawlers and scanners accessed the information. The format of the images was such that it would not have been possible for the information to be accessed through general web browsing or internet searches.

Consequently, the investigators concluded that there is a “very low probability” of unauthorized data access, although, out of an abundance of caution, all patients whose Social Security number has been compromised as a result of the breach have been offered complimentary identity theft monitoring and protection services.

Burrell Behavioral Health has taken steps to prevent any further breaches of this nature from occurring and is working with its business associates to ensure they have adequate technical and administrative safeguards in place to ensure the confidentiality of patient information.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.