Health Recovery Services Notifies 20,485 Patients About Potential PHI Breach
Health Recovery Services, an Athens, OH-based provider of alcohol and drug addiction services, is notifying 20,485 patients that some of their protected health information may have been accessed by an unauthorized individual.
On February 5, 2019, Health Recovery Services discovered an unauthorized IP address had remotely accessed its computer network. Network and information systems were taken offline to prevent further access and a forensic expert was retained to conduct an investigation to determine the nature and scope of the breach.
On March 15, 2019, the forensic investigator determined that the IP address first accessed the network on November 14, 2018 and access remained possible until February 5. No evidence was uncovered to suggest any patient information was accessed or copied, although the possibility of data access and theft could not be totally ruled out. Patients whose protected health information was exposed have been notified by mail ‘out of an abundance of caution’.
The types of patient information contained in files on the compromised server included names, addresses, contact telephone numbers, and dates of birth. Patients who received treatment at Health Recovery Services after 2014 also had medical information, health insurance information, diagnoses, treatment information, and Social Security numbers exposed.
Health Recovery Services rebuilt its entire network to ensure that it was totally secure and free from any security threats. Policies, procedures, and cybersecurity measures were reviewed and will be enhanced to prevent further data breaches. Steps will also be taken to limit the harm that can be caused should a further network server breach be experienced in the future.