An error by a business associate working with Burrell Behavioral Health in Springfield, Mo., has resulted in potential breach of records of 67,493 patients.
The business associate’s Internet-facing portal, which contained electronic images of protected health information (PHI) was improperly secured and may have enabled unauthorized persons to access the records. After the error was discovered, Burrell Behavioral had the business associate close access to the portal, and then it hired forensics experts to examine ramifications of the breach.
The investigation found that it was highly unlikely that patient information was actually accessed. There was no evidence that unauthorized persons, automated website crawlers or scanners accessed PHI, which was formatted in a way that did not allow access through general Internet searches or casual Internet browsing, reported Burrell Behavioral, which soon will be notifying affected individuals.
“We value the privacy and security of patient protected information, and we are committed to protecting the confidentiality and privacy of our patients,” says Darren Johnson, vice president of information technology. “It is our priority to support those who have been affected.”
Identity monitoring and additional protective services from an unidentified credit firm will be offered to an undisclosed number of patients whose Social Security numbers were compromised. The organization advised other concerned individuals to get a free credit report from each of the credit reporting bureaus—Equifax, Experian and TransUnion.
Appropriate steps are being taken to protect against a similar incident in the future, according to Johnson. “We have an effective security program, but we are continuing to evaluate and implement additional administrative, technical and physical safeguards to protect PHI. We are working with all our business associates to ensure all electronic PHI is appropriately secured, and that technical and administrative safeguards are implemented to permit the secure transition of paper medical records to electronic form.”
Burrell is not commenting further on the breach because the organization has announced all of what it knows at this time, Johnson said.