PHI of 67,493 Burrell Behavioral Health Patients Exposed Due to Business Associate Breach

Burrell Behavioral Health is informing 67,493 patients about the accidental exposure of their healthcare records due to an error that occurred in August 2018 at an unnamed business associate.

Images were stored by the business associate which showed the protected health information (PHI) of certain Burrell Behavioral Health patients. The data was exposed because of an error introduced into the internet-facing portal used by the business associate. The following information was visible in the images: Names, addresses, phone number, birth dates, sex, dates of service, types of service rendered, health insurance details, Social Security numbers and driver’s license numbers.

Burrell Behavioral Health learned about the exposure of patient information on January 30, 2019 and notified its business associate, which promptly secured the server.

To find out which information was exposed, and whether PHI was accessed, a forensic team conducted an investigation. They learned that patient data was uploaded in August 2018 although there were no indications that anyone accessed the information. Automated website crawlers and scanners also did not access the information.

Because of the file format of the images, it was not possible for the files to be found by means of general web surfing or web searches.

The investigators came to the conclusion that there was a “very low probability” of unauthorized data access. Individuals who had their Social Security number exposed have been offered free identity theft monitoring and protection services as a precaution.

Burrell Behavioral Health has implemented measures to prevent breaches of similar nature and is working together with its business associates to make certain that technical and administrative security measures are in place to protect patient data.