HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Zenith American Solutions Reports Mailing Error that Exposed SSNs of 37,000 Individuals

Zenith American Solutions, a third-party administrator for the Sound Health and Wellness Trust, has recently notified individuals about a mailing error that exposed individuals’ Social Security numbers. According to the breach notification, a mailing was sent to individuals on June 24, 2022, advising them to complete their Personal Health Assessments or Health Profiles to enroll in the 2023 Health Reimbursement Account.

The file used for printing the mailing labels included individuals’ full Social Security numbers, which were printed in full on the mailing labels along with full names, postal addresses, and unique ID numbers. The mailing labels also indicated an individual had enrolled in the Sound Health and Wellness Trust.

Zenith American Solutions said it has implemented new quality control procedures to ensure there are no similar incidents in the future and affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months.

The breach was reported to the HHS’ Office for Civil Rights as affecting 37,146 individuals.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Centerstone Reports Breach of Email Environment

Centerstone, a national provider of mental health, addiction recovery, residential care, therapeutic foster care, counseling, and crisis services, has recently announced that the protected health information of certain current and former Centerstone clients has been exposed and potentially obtained by unauthorized individuals.

Unusual activity was detected in the Centerstone email environment on February 14, 2022. Steps were immediately taken to secure email accounts by performing a password reset, and an investigation was launched to determine the nature and scope of the security breach. The investigation confirmed that three employee email accounts had been accessed by an unauthorized third party between November 4, 2021, and February 14, 2022.

A comprehensive review of the affected email accounts was completed on July 12, 2022, and confirmed they contained individuals’ protected health information such as names, addresses, Social Security numbers, birth dates, client ID numbers, medical diagnoses, treatment information, and/or health insurance information.

Centerstone has reported the breach to the HHS’ Office for Civil Rights as affecting 1,700 Centerstone of Indiana patients. Centerstone said it has implemented additional safeguards to better protect its email environment.

Southwest Behavioral & Health Services Reports Breach of Employee Email Account

Southwest Behavioral & Health Services, a Phoenix, Az-based provider of outpatient mental health treatment and psychiatric services, has recently notified 1,337 individuals that an unauthorized third party gained access to the email account of an employee. The email account contained individuals’ names, dates of birth, addresses, email addresses, resume information, medical diagnosis information, Social Security numbers, and phone numbers.

The breach was identified on July 15, 2022, and was confirmed to have occurred on May 5, 2022. Notification letters were sent to affected individuals on August 1, 2022. No evidence was found to indicate any theft of PHI; however, as a precaution, affected individuals have been offered a complimentary membership to identity theft protection services through IDX.

Southwest Behavioral & Health Services said further safeguards have been implemented to prevent further email data breaches and additional security awareness training has been provided to the workforce.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.