Behavioral Health Data BreachBehavioral Health Data Breach Affects 67,000

A behavioral health practice based out of Springfield, Missouri has notified 67,493 patients of a behavioral data breach involving their medical data. The breach occurred in August of 2018–however, what makes this behavioral HIPAA breach unique is that a vendor, not the provider itself, was ultimately responsible for the breach.
This raises serious concerns about the growing trend of data breaches affecting health care organizations and their patients originating from a behavioral data breach caused by a vendor. Under HIPAA regulation, a mental health HIPAA breach that is caused by a vendor can ultimately impact providers if there isn’t an effective compliance program in place.

Behavioral HIPAA Breach

According to the behavioral health data breach notice, Burrell Behavioral Health reported that its business associate had an internet-accessible portal that contained health care data that it was maintaining on behalf of the practice. The data breach occurred when a server was made available to the public which contained the names, addresses, phone numbers, birth dates, and services rendered, insurance information, driver’s license numbers, and Social Security numbers of Burrell’s patients.
An investigation into the behavioral health data breach was conducted, which revealed that the data was not made available through search engines. However, the fact that the information was made publically available still constitutes a data breach.
HIPAA regulation defines business associates as any vendors who are paid to handle to handle protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include a patient’s name, address, phone number, email address, Social Security number, insurance ID number, and medical records, to name a few.
HIPAA regulation demands that providers execute a business associate agreement (BAA) with any business associates before any PHI can be shared. That means that telehealth providers who work with video chat platforms, cloud storage providers, patient portals, and billing services, must ensure that BAAs have been executed before any PHI may be accessed by those vendors.
BAAs are one of the most effective ways of protecting your behavioral health practice from liability in the event of a mental health HIPAA breach that has been caused by a vendor. In this case, Burrell Behavioral Health says that they have an effective security program in place, but fail to mention if a BAA was executed with their vendor.
This is just one of many behavioral health data breaches affecting healthcare organizations around the country day after day. With the increasingly digital nature of health care information, HIPAA compliance and data security must become a priority for maintaining the privacy and security of patient data.