HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Security Breaches Reported by Arkansas Otolaryngology Center and Centerstone

Centerstone, a provider of mental health and substance use disorder treatment services in Indiana, Illinois, Tennessee, and Florida, has discovered an employee’s email account has been accessed by an unauthorized individual.

Unusual activity was detected in the email account and it was immediately secured. The investigation revealed the email account had been accessed between December 12, 2019 and December 16, 2019; however, it took until August 25, 2020 for the investigation to confirm that protected health information was contained within the account.

The protected health information of patients was exposed in the incident, including names, dates of birth, Social Security numbers, driver’s license numbers, state identification card numbers, medical diagnoses, treatment information, Medicaid and Medicare information, and health insurance information. The types of exposed data varied from patient to patient. Some employee information was also potentially compromised.

Notification letters were sent to affected patients on Thursday, October 22, 2020 and information has been provided on the steps that should be taken to reduce the risk of misuse of their data.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Centerstone reports that $800,000 has been invested on IT security infrastructure following the breach, including new software applications and security appliances. A security audit and gap assessment are being conducted by third-party security experts to identify any other areas where security can be improved. Policies and procedures are also being reassessed and further training on IT security has been provided to the workforce.

According to the breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights, the incident affected 50,965 patients of Centerstone of Tennessee and 11,638 patients of Centerstone of Indiana.

Arkansas Otolaryngology Center Notifies 12,000 Patients About Email Breach

Little Rock, AR-based Arkansas Otolaryngology Center is alerting 12,000 patients about an email security breach discovered on July 17, 2020. An unauthorized individual was discovered to have gained access to the email account of an employee and was using the account to send unauthorized messages.

Assisted by a third-party computer forensics company, Arkansas Otolaryngology Center determined that four email accounts had been compromised between July 17, 2020 and July 27, 2020. It was not possible to determine whether any emails in the accounts had been subjected to unauthorized access during the time the accounts were accessible.

A review of emails and email attachments in the compromised accounts revealed they contained the following types of protected health information: names, dates of birth, medical record numbers, Social Security numbers, diagnoses, doctors’ names, driver’s license numbers, state identification card numbers, insurance group numbers, treatment locations, and treatment or procedure types or codes. A limited number of individuals also had financial account information exposed.

Upon discovery of the breach a full password reset was performed, and additional technical safeguards have since been implemented to prevent further email breaches. Individuals affected by the breach have been offered complimentary credit monitoring services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.