Share this article on:
The Clearwater, FL-based non-profit behavioral health service provider Directions for Living was the victim of a ransomware attack on July 17, 2021.
Upon detection of the attack, law enforcement was notified and third-party computer forensics experts were engaged to investigate the scope of the attack and assist with remediation efforts. The investigation concluded on August 30, 2021.
A review of servers potentially accessed by the attackers confirmed they contained personal and protected health information of current and former clients, including names, addresses, dates of birth, Social Security numbers, diagnostic codes, claims information, insurance information, healthcare provider names, date of service, and certain health information. Directions for Living said its electronic medical record system was not affected and could not be accessed by the attackers and clients’ financial information was not stored on the affected servers. While personal and protected health information may have been accessed by unauthorized individuals, Directions for Living said no evidence has been found to indicate any actual or attempted misuse of that information.
“For nearly 40 years, Directions for Living has been a proud and trusted resource for those seeking a welcoming and compassionate provider of behavioral health services. We take this role, and our commitment to our community, very seriously,” said Directions for Living. “Please know that your privacy is always our top priority, and we are working diligently to respond appropriately and continue to ensure that you are protected, and your information is safe with us.”
The process of notifying affected individuals started on August 30, in accordance with the requirements of the HIPAA Breach Notification Rule. Affected individuals have been advised to be vigilant and to check their account statements, credit reports, and explanation of benefits statements for signs of fraudulent activity. Individuals whose Social Security numbers have been exposed have been offered complimentary credit monitoring and identity theft monitoring services for 12 months.
The breach report submitted the Department of Health and Human Services’ Office for Civil Rights indicates the protected health information of 19,494 individuals was stored on the affected servers.