PHI Exposed Due to Sunshine Behavioral Health Group Amazon AWS S3 Bucket Misconfiguration

Portland, OR-based Sunshine Behavioral Health Group, a network of drug an alcohol addiction treatment facilities in California, Colorado, and Texas, has experienced a breach of sensitive patient information. An Amazon AWS S3 bucket was misconfigured which allowed files containing patient billing information to be accessed over the internet.

An individual discovered the breach and reported it to Dissent at Dissent verified the data and contacted Sunshine Behavioral Health on September 4, 2019 to report the breach and ensure the S3 bucket was secured. Dissent reports that the exposed S3 bucket contained approximately 93,000 files, although that did not correspond to 90,000 patients.

A notification about the data breach was sent by ID Experts to the Vermont Attorney General which explains the error was identified on September 4, 2019. The report states that steps were taken to prevent the records from being accessed by unauthorized individuals and further actions were taken on November 14, 2019 to remove the records from general internet access.

On December 23, 2019, Sunshine Behavioral Health Group determined a folder in the cloud-based system contained information such as names, addresses, dates of birth, telephone numbers, email addresses, diagnoses, treatment information, lab test results, health insurance information, claims information, credit/debit card numbers, expiry dates, security codes, electronic/digital signatures of individuals who had paid for healthcare services,

The exposed data related to payers for medical services received at Monarch Shores, Chapters Capistrano, Willow Springs Recovery, and Mountain Springs addition treatment and rehabilitation centers. All individuals whose information was exposed have been offered complimentary membership to MyIDCare protection services for 24 months.

The incident was reported to the HHS’ Office for Civil Rights on December 2, 2019 and shows the PHI of 3,500 individuals was exposed.

Thieves Stole Patient Information in Lake County Behavioral Health Burglary

Lake County Behavioral Health in Clearlake, CA, has announced it experienced a burglary on December 5, 2019 and thieves stole a locked filing cabinet containing client health information.

The stolen paperwork contained information such as patient names, contact telephone numbers, case numbers, medications, appointment dates and times, payments, and amounts due. One file contained a patient’s date of birth, Social Security number, medical history, disability status, substance use history, income verification information, and Medi-Cal ID number.

All patients whose information was stolen have been notified by mail and advised to register a fraud alert in case their information is misused. All remaining files have been relocated to a locked room in the heart of the facility, an alarm system has been fitted along with video surveillance with 24-hour monitoring. The break-in is being investigated by the Clearlake Police Department but no arrests have been made.

Jefferson Center for Mental Health Announces Potential Breach of PHI

Jefferson Center for Mental Health, a nonprofit provider of community-focused mental health care and substance use services in Colorado, experienced a burglary at its Independence Corner facility in Wheat Ridge on November 29, 2019.

The burglary was discovered on December 2, 2019 and the break-in was reported to law enforcement. No paperwork containing patient information was taken by the perpetrators, but it is possible that the personal and treatment information of 1,319 patients was viewed by the thieves.

Unauthorized data access is not suspected, but patients have been advised to monitor their accounts as a precaution. Jefferson Center for Mental Health is now taking steps to improve physical security at its offices.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.