HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

California Mental Health Services Provider Discovers Unauthorized Email Account Access and File Deletion

The Guidance Center (TGC), a nonprofit provider of mental health care services to disadvantaged children and their families in Long Beach, Compton, San Pedro, and Avalon in California, has discovered a breach of its digital environment.

In a breach notification letter to the California Attorney General, Xavier Becerra, TGC’s counsel explained that unusual activity was detected within TGC’s digital environment in late March 2019. Staff had reported that files and backups appeared to be missing. An internal investigation was launched which concluded the files had been deleted. Further investigation also showed that a TGC computer had been reconfigured to allow it to be remotely accessed.

TGC believes the change to the computer and deletion of files was most likely the work of a former employee. The matter was reported to both the Long Beach Police Department and the FBI, and the individual suspected of the illegal access was sent a cease and desist letter by TGC’s attorney on March 30, 2019. Following that letter, all further unauthorized access stopped.

On April 19, 2019, TGC engaged a difficult forensics company to determine whether any patient information had been accessed without authorization. No evidence of unauthorized PHI access or data exfiltration was discovered; however, certain employee email accounts had been accessed remotely.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

According to the substitute breach notification letter on the TGC website, TGC learned on September 19, 2019 that some sensitive information was contained in those email accounts. It took some time to determine which clients had been affected and to find up to date contact information for those individuals. Breach notification letters were sent on October 25, 2019.

In total, the protected health information of 1,235 current and former clients was detailed in the email accounts and could therefore have been accessed, although no evidence of unauthorized PHI access was discovered.

The information in the accounts was limited to names, addresses, dates of birth, health insurance/claims information, medical information and, for a limited number of patients, Social Security numbers.

All individuals whose Social Security number was exposed have been offered 12 months of complimentary credit monitoring services. Additional security controls have now been implemented to prevent any similar incidents from occurring in the future and the deleted files have been restored. No reason was given as to why the email accounts were accessed and files and backups were deleted.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.