HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Mental Health Histories and Therapy Session Notes of 3,000+ Patients Sold On Darknet

Databreaches.net has discovered a healthcare data breach of more than 3,000 records. Those records appear to have been sold by the hacker responsible for the attack via a darknet marketplace. The records contained health and mental health histories and therapy session notes from 2007 to present.

In total, more than 4,500 patient records were obtained by the hacker, which related to ‘3,000-3,500’ unique individuals. The records included names, addresses, phone numbers and employer details along with SSNs, dates of birth and the names of patients’ physicians.

Worse still, the records contained complete family histories, details of substance abuse, legal histories, health and mental health histories, and detailed ‘complete’ notes of therapy sessions spanning several years.

The individual responsible for stealing the information listed the records for sale on a darknet marketplace advising potential buyers that the records contained “Everything confessed/discussed in complete privacy is in here for thousands of patients.”

Please see the HIPAA Journal Privacy Policy

The complete set of data was listed for sale for a minimum price of $10,000 and was allegedly sold to one individual. The seller suggested the records could be sold back to the organization from where they were stolen.

It is not clear how the records were stolen, although the seller claims the healthcare organization had ‘not-so-great network security. Databreaches.net was able to identify the source of the data and alerted the organization – Behavioral Health Center in Bangor, Maine. The health center has launched an investigation into the breach and will notify affected patients in due course.

The report of the discovery can be viewed on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.