Personal data on mental health patients stolen in provider group hack
A large for-profit mental health chain has been hit by a “data security incident” that resulted in personal information on patients being accessed by an unauthorized third party.
Acadia Healthcare, which operates more than 275 clinics and facilities for the treatment of behavioral health nationwide, revealed the breach this week after an investigation in cooperation with a third-party cyber-forensics firm was partially completed.
In a statement, the provider group said the intrusion was first identified in March, with the unknown individual having access to parts of the Acadia network for roughly four days.
The Tennessee-based company added that an employee’s email account was the source of the unauthorized entry. This was linked to a SharePoint account used to exchange sensitive personal information on patients.
Once suspicious activity on the email account was identified, Acadia said it moved immediately to secure it and related systems to see if hackers entered other systems. It was later determined the breach had been isolated to the single email account, to which hackers gained access via a social engineering attack.
While not confirmed, such breaches are commonly caused by phishing.
Acadia emphasized that the cybersecurity incident “did not involve our electronic health record systems,” adding that the hack did not “disrupt our operations or our ability to care for patients.”
Victim headcount ongoing
Despite confirming that the EHR was not accessed, the email and SharePoint account would contain details on patients, such as names, addresses, dates of birth, treatment information, care delivery dates, health insurance information and more.
Acadia said some files contained full Social Security Numbers from patients.
Given that Acadia treats mental illness, behavioral issues and substance use disorder, any data that can be used to identify a patient is highly sensitive and will require reporting under the Health Insurance Portability and Privacy Act (HIPAA).
For now, no official number of victims has been reported to the federal government, as Acadia said it’s still conducting a full audit on the scope of the breach to determine who the patients were that had their data stolen and specifically what details hackers may have accessed.
“For patients whose information was involved, we recommend that you review any statements you receive from your healthcare providers and health insurance plans,” Acadia wrote. “If you see any services that were not received, please contact the provider or health plan immediately.”
The company confirmed that it’s begun sending notification letters to anyone impacted, and that it’s deployed new cybersecurity protocols to stop similar incidents from happening in the future.
To date, no known hacker cell has claimed credit for the attack, and there has not been any evidence of data from the incident being sold on the dark web.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.