Behavioral Health Network (BHN) Malware Attack Affects 129K Patients

MARLENE MAHEU

August 29, 2020 | Reading Time: 2 Minutes

 371

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

The large behavioral health service provider, Behavioral Health Network (BHN), suffered a malware attack affecting 129,571 patients. Details of the attack are discussed below.

Malware Attack: What Happened?

A malicious software attack occurs when hackers install malicious software on an organization’s systems without the organization’s knowledge. The purpose of a malware attack is to gain access to sensitive data, usually to exploit the organization for financial gain. The attack affecting BHN was discovered two days after it had been introduced into their network when staff were unable to access files.

BHN’s affected systems contained files on 129,571 patients. Protected Health Information (PHI) that may have been compromised includes patient names, dates of birth, Social Security numbers, addresses, medical/diagnosis/treatment information, and/or health insurance claim information.

Reporting and Preventing Future Malware Attack Incidents

Although it is unclear whether or not hackers stole or accessed any files containing PHI, BHN reported the incident to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), affected patients, and the media. Patients potentially affected by the malware incident have been offered free identity theft protection and credit monitoring services, as required by HIPAA.

To prevent malicious software problems from occurring in the future, BHN has agreed to:

Implementing additional safeguards. HIPAA requires organizations working with PHI to implement administrative, physical, and technical safeguards. Safeguards are meant to ensure the confidentiality, integrity, and availability of PHI. Had BHN implemented adequate safeguards, they may not have suffered the malware attack.
Reviewing their HIPAA policies and procedures. Policies and procedures create a framework for how an organization adheres to the HIPAA Security, Privacy, and Breach Notification Rules.
Retraining employees on data security and privacy practices. Employee training ensures that employees are aware of potential risks and how to recognize them, making them less likely to fall victim to malware attacks.

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.