Two cyber incidents affecting behavioral health services have impacted almost 400,000 individuals: one at Lutheran Social Services of Illinois and one at Mindpath Health.
Ransomware Hits Lutheran Social Services of Illinois
In the beginning it looked relatively manageable. The data breach at Lutheran Social Services of Illinois (LSSI) wasn’t small, but it wasn’t huge – 1000 people were affected, and in March 2022 LSSI notified the Office for Civil Rights (OCR) about the hack on their network server. But by January 2023, LSSI had filed another breach report about a ransomware incident affecting nearly 184,000 individuals. It’s not clear whether the first breach report is related to the second one although it seems likely.
LSSI is one of Illinois’ largest statewide providers of foster care and behavioral health services; it also provides senior housing and residential programs for people with developmental disabilities.
According to its breach notification statement LSSI discovered the ransomware incident a year ago, on January 27, 2022, but they didn’t complete an internal investigation and review of affected data until December 28, 2022.
The types of information that may have been breached include names, dates of birth, Social Security numbers, financial account information, driver license numbers, biometric information, medical diagnosis and treatment information, and health insurance information.
Email Breached at Mindpath Health
Mindpath Health, a provider of behavioral health services in eight states, reported an email hacking incident to OCR on January 10, 2023 as affecting nearly 194,000 individuals. The company’s breach notice explains that they discovered suspicious activity on their email in July, 2022. The investigation that followed found that a hacker had obtained unauthorized access to two employee email accounts, one in March 2022 and the second in June 2022.
The data affected includes patient names, addresses, Social Security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.
HIPAA Compliance is the Best Defense
Protected health information (PHI) is more valuable to criminals than social security numbers or credit card numbers. This is because health information can be used to commit insurance fraud, Medicare and Medicaid fraud, and obtain expensive prescriptions.
But you can use HIPAA defensively to prevent cyber theft. Set up the right physical, administrative and technical safeguards; do a regular HIPAA Risk Analysis and follow the Security Rule Checklist.
Ask a professional for help, ask The HIPAA E-Tool®.