1,400 Patients Affected by Behavioral Healthcare Breach
The Virginia Department of Behavioral Health and Developmental Services (DBHDS) accidentally exposed patient’s protected health information (PHI) through its Individual and Family Support Program (IFSP). Although investigations are still underway, the healthcare breach may have affected 1,442 patients.
The healthcare breach was initiated when patients attempted to apply for aid online through IFSP. One such victim, Ebony Cunningham, reported to ABC’s 8News that she applied for aid on the site for her 5 year old twin sons, both of whom are autistic. Upon submitting their application, she received an email with an ID number to login to the site. However, when logging in she was directed to another patient’s profile, she was able to view the patient’s Social Security number and home address, both of which are considered PHI under the HIPAA regulation.
In a statement to 8News Ms. Cunningham said, “But I hope they figure out something because the breach of information is a real problem, and especially when you think you’re going into a secure site and you think all of your information is going to be kept confidential and now it’s just out in the open. It’s terrifying and I’m worried for myself and my kids and everybody else whose information is out there.”
After becoming aware of the HIPAA violation, the DBHDS temporarily shutdown the site after just 16 minutes of being live. The DBHDS is addressing the technical issues and will be informing applicants 48 hours before the relaunch. 8News received the following statement from a DBHDS spokesperson, “we are very concerned that these problems led to the exposure of some of the applicants’ information.”
Notifying Patients of the Behavioral Healthcare Breach
The Virginia Department of Behavioral Health and Developmental Services updated applicants via email with the following message:
“DBHDS is continuing to explore the issues with the Individual and Family Support Program (IFSP) Funding Portal. Out of an abundance of caution, the site will continue to be disabled until we are confident that we have identified and addressed the problems.
In addition to identifying the issues that occurred, our internal investigation will determine whose information may have been affected. If we determine that your information may have been affected, we will contact you directly.
In the coming days, we expect to contact those who submitted an application before the site was disabled to verify that we did receive their application. We will also release information on the Portal’s re-launch to provide families that did not have an opportunity to apply with the information they will need to complete their application.
At this time, you do not need to contact SeniorNavigator, Family to Family, or the volunteer IFSP Regional Councils to request information about the Portal.
DBHDS will communicate all information about the Portal’s re-launch directly to individuals and families via the IFSP list serv.
If you have contacted us about these issues, thank you. Should you have additional questions or concerns, we have established a method to communicate by email at firstname.lastname@example.org.
Again, thank you for your patience as we work to bring the Portal back online.”
They also issued a statement on Twitter to inform applicants that the site had been temporarily taken down. The breach is currently under investigation by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR).
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.