Fraud Management & Cybercrime , Healthcare , Industry Specific

2 Hacks Involving Mental Health Data Affected Nearly 400,000

Includes Ransomware Attack on Social Services Provider, Email Hack on Behavioral Health Entity
2 Hacks Involving Mental Health Data Affected Nearly 400,000
Image: Shutterstock

Two hacking breaches - one at a non-profit provider mental health and substance treatment services and the other at a provider of behavioral health services - affected sensitive information of nearly 400,000 individuals.

See Also: OnDemand | Overcoming the Limitations of Addressing Insider Threat in Banking: Real Solutions for Real Security Challenges

The breaches include a 2022 ransomware attack on Lutheran Social Services of Illinois that affected nearly 184,000 individuals, and an email hacking incident affecting nearly 194,000 people involving North Carolina-based Mindpath Health.

Mental health and substance use disorder data are especially appealing targets for hackers, and also the subject of extra regulatory requirements in some states. That elevated risk isn't necessarily translating into heighted vigilance, warn security experts who cite evidence including the two latest hacks.

"It’s worthwhile to proactively consider how much super-sensitive PHI you have, and whether it’s being appropriately protected in consideration of the likely reaction if an incident occurs," says attorney Brad Rostolsky of the law firm Reed Smith.

Organizations should consider how much they need to retain that data in the first place, says attorney Linda Malek, head of Moses Singer's Healthcare and Life Sciences and Healthcare Privacy and Cybersecurity groups. "Entities should be practicing data minimization as a matter of course, whether or not required by law, to protect as much as possible against sensitive data exposure if in fact there is a hacking incident."

Entities that experience breaches involving ultra-sensitive data can also face particularly harsh reputational blowback. "Because of the stigma and delicacy surrounding behavioral health, providers stand to lose patient trust and possible legal action," says Kate Borten, president of privacy and consulting consulting firm The Marblehead Group.

LSSI Ransomware Incident

LSSI touts itself as Illinois' largest statewide provider of foster care services, as well as a provider of an array of other services. Those includes mental health services, alcohol and drug treatment, senior housing and residential programs for people with developmental disabilities.

LSSI's 2022 ransomware attack affected about 184,000 individuals.

A company breach report filed on Wednesday says it underwent ransomware incident affecting nearly 184,000 individuals.

The LSSI ransomware incident was discovered a year ago, on Jan. 27, 2022, according to the organization's own breach notification statement.

An internal investigation and review of affected data wasn't completed until December 28.

The types of information contained on the affected systems include names, dates of birth, Social Security numbers, financial account information, driver license numbers, biometric information, medical diagnosis and treatment information, and health insurance information, Lutheran says.

The Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website shows that LSSI reported on March 25, 2022 a HIPAA breach involving a hacking/IT incident and network server that affected 1,000 individuals.

An attorney representing LSSI did not immediately respond to Information Security Media Group's request for additional information about the incident, including whether the breach LSSI reported to HHS OCR in March 2022 was the same hacking incident as the ransomware breach it reported this week.

Mindpath Health Email Breach

Mindpath Health, an independent provider of outpatient behavioral health services in eight states, reported its email hacking incident to HHS OCR on Jan. 10 as affecting nearly 194,000 individuals.

Mindpath Health's email breach affected nearly 194,000 individuals.

The company's breach notice says the incident involved unauthorized access to two employee email accounts, one in March 2022 and the second in June 2022.

Affected data includes patient names, addresses, Social Security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.

"We have also taken proactive steps to enhance the security of all information to help prevent similar incidents from occurring in the future," a Mindpath Health spokesperson told Information Security Media Group.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.