Share this article on:
Allwell Behavioral Health Services in Zanesville, OH, has announced that a computer system used to store quality assurance information related to the treatment of patients has been accessed by an unauthorized individual. The unauthorized access was detected on March 5, 2022, with the subsequent forensic investigation determining the system was breached on March 2, 2022.
The breach investigation concluded in late April and determined that it was likely that files containing sensitive information had been copied in the attack, although at the time of issuing notifications to affected individuals there had been no reports of any actual or attempted misuse of patient data.
The types of information in the files varied from patient to patient and may have included information such as names, dates of birth, Social Security numbers, phone numbers, treatment activity, treatment provider, treatment date, treatment location, and payer information.
According to the breach summary on the HHS’ Office for Civil Rights website, 29,972 patients have been affected. Complimentary identity theft protection services have been offered to eligible participants for 12 months, and for 24 months for affected patients in CT, DC, RI, or MA. Allwell Behavioral Health Services said its information technology and computer systems have been upgraded to improve security and prevent further unauthorized access.
Email Account Breach Reported by WellDyneRx
The pharmacy benefit manager, WellDyneRx, has recently started notifying 5,122 individuals that an unauthorized individual has gained access to a company email account that contained sensitive patient information. Suspicious activity was detected in the email account on December 2, 2021, and immediate action was taken to secure the account. The third-party forensic investigation confirmed the account had been accessed by an unauthorized individual between October 30, 2021, and November 11, 2021.
Evidence of data theft was not found, but the possibility of unauthorized access to ePHI could not be ruled out. The review of the email account confirmed the following types of information had potentially been compromised: names, birthdates, Social Security numbers, driver’s license numbers, treatment information, health insurance information, contact information, prescription information, and other medical/health information. Steps have been taken to improve security to prevent similar attacks in the future.