Email Breaches Reported by Mattapan Community Health Center and Prestera Center for Mental Health Services

Prestera Center for Mental Health Services, the largest behavioral health services provider in West Virginia, has discovered an unauthorized individual potentially accessed the protected health information of a small percentage of its current and former patients.

An unauthorized individual gained access to Prestera Center’s business email environment which contained protected health information such as patient names, dates of birth, medical record numbers, patient account numbers, diagnostic information, prescription information, treatment information, and healthcare provider information. The email system also contained a limited number of patient addresses, Social Security numbers, and Medicare/Medicaid numbers.

A third-party vendor was engaged to assist with the investigation and determine whether any PHI was viewed or obtained during the data security incident. Prestera Center said the investigation did not uncover any evidence of attempted or actual misuse of patient information, but since PHI may have been viewed or acquired, affected individuals have been offered complimentary identity theft restoration and credit monitoring services.

Prestera Center has taken steps to enhance security including implementing multi-factor authentication on all accounts, strengthening its cybersecurity infrastructure, replacing and strengthening the firewall, revising policies and procedures, and implementing an intensive training program for employees.

The HHS’ Office for Civil Rights breach portal indicates 3,708 individuals were affected by the breach.

Mattapan Community Health Center Email Breach

Mattapan Community Health Center (MCHC) in Massachusetts is notifying certain patients that some of their protected health information has potentially been viewed by an unauthorized individual who gained access to an employee’s email account.

Unusual email activity was detected on October 16, 2020 within an employee’s email account. Assisted by a third-party security firm, MCHC determined that the email account was accessed between July 28, 2020 and October 15, 2020. A review of the account revealed it contained sensitive data that may have been viewed or acquired.

The information in the account varied from individual to individual and may have included patient names, Social Security numbers, medical diagnoses, treatment information, provider information, health insurance information and/or medical record numbers.

MCHC said no evidence was found to indicate any actual or attempted misuse of patient data. MCHC has since implemented additional security measures to prevent further breaches.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.