HIPAA violations resulting from health care data breaches are common occurrences. Behavioral health professionals face this threat just as much as any other health care specialty. But a data breach affecting behavioral health processionals can be particularly serious because of the highly sensitive medical records that they retain.
This proved to be exactly the case when the Maine-based behavioral and mental health center, Behavioral Health Center (BHC).
Over 4,000 Records Breached
In March of 2017, hackers accessed BHC’s network and stole over 4,000 patient records. The records were then put up for sale online on the black market, otherwise known as the “dark web”. Records obtained by hackers in a data breach often end up on the dark web largely because of the anonymity that the platform provides them.
The hackers then placed an ad, which began:
“From a psychiatric practice with not-so-great network security. DETAILED information on each patient including:
- Name, address, phone, employer
- SSN, DOB, race, primary care physicians
- Complete family history, substance use history, legal history, psychiatric and medical history
- COMPLETE DETAILED notes on EVERYTHING discussed in therapy sessions
These are not just basic fullz, these are the COMPLETE clinician notes from EVERY session with a patient, sometimes spanning hundreds of sessions over years. Everything confessed/discussed in complete privacy is in here for thousands of patients. All records are from 2007 to current date.”
And a subsequent post by the hackers explained:
“Also, while there are 4500+ patient records, some of the records are for the same person subsequently relapsing back into treatment. I’d estimate there are 3000-3500 unique individuals represented across those 4500+ records.”
Just before the records were sold, the hackers stated: “[…] who knows what you could do with complete confidential medical/substance/psychiatric histories on everyone from bank presidents to garage mechanics.”
Once BHC was alerted to the breach and sale of the records, the practice reported the incident to The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as a HIPAA violation. The report indicated that the data breach affected 4,229 patients whose records dated back to 2007.
OCR HIPAA investigations typically take 2-4 years to reach settlement, meaning that we won’t receive an update on the consequences of this breach any time soon.
However, this should be a stark reminder for behavioral health professionals to take steps to protect their practices by implementing a HIPAA compliance program, in addition to cyber-security safeguards.
HIPAA regulation outlines specific standards for how to handle data breaches in the HIPAA Breach Notification Rule. The Breach Notification Rule outlines two different categories of data breaches. A Minor Breach is a breach affecting fewer than 500 individuals, and a Meaningful Breach is a breach affecting more than 500 individuals.
When you report a HIPAA breach to OCR, federal investigators will follow-up with requests for documentation of your practice’s compliance program. Fines for HIPAA violations range from $50-$100,000 per incident based on the perceived level of negligence. If a practice has a limited or incomplete HIPAA compliance program in place, it will likely be fined the maximum penalty for an incident because of the level of noncompliance with HIPAA regulation.
That’s why the most effective way to protect your practice from the consequences of a catastrophic data breach is by implementing a total HIPAA compliance program in your organization. Addressing the full extent of the law will safeguard the privacy and integrity of your patients’ health records.
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard™. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including fully automated documentation of policies, procedures, employee training, and remediation plans. The Guard includes policies and procedures that are uniquely tailored to the needs of your organization so you’ll never have to worry about the headaches that come with generic policy binders again.
With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
For more information about what you can do to protect your behavioral health practice, see these upcoming HIPAA educational webinars.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.