More Breaches Expose Mental Health, Substance Abuse DataExpert Insights on Risks, Regulations and Action Plans
Recent data breaches involving mental health and substance abuse information highlight some of the special challenges that organizations can face in protecting extra-sensitive patient records.
Those incidents include hacker attacks that exposed data held by non-profit and government-run institutions, as well as a breach involving an employee misstep. In a hacker attack against a Baltimore facility, the attackers reportedly posted sensitive stolen data on the dark web.
"Most would agree that the unauthorized disclosure of behavioral health or substance abuse treatment information can cause significant reputational harm," notes privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek.
Because of the sensitivity of mental health and substance abuse records, covered entities and their business associates need to be particularly mindful of protecting that information.
"Organizations may decide to implement additional safeguards for 'more sensitive' information, but that isn't necessarily a requirement," notes privacy attorney Kirk Nahra of the law firm Wiley Rein. "From a patient perspective, this information typically could create more reputational concerns than other kinds of medical information."
As many of the recent breaches illustrate, Nahra notes, "a lot of the groups that have this kind of information are state-run, or non-profits, or others that may have fewer resources." And that can make safeguarding patient data more challenging.
The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, "may more closely scrutinize incidents involving particularly sensitive information," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
For example, OCR entered into a $1 million HIPAA settlement agreement in 2011 with Massachusetts General Hospital over the loss of 192 records for HIV/AIDS patients on a subway train, Greene says.
The incident involved "a relatively small number of patients compared to other enforcement actions," he says. "OCR made a point of identifying that the lost information included HIV/AIDS information, suggesting that the sensitivity of the information was a factor in their enforcement decision."
Also, in OCR's recent announcement that it is increasing its review of breaches affecting fewer than 500 individuals, the agency identified the "nature and sensitivity of the PHI involved" as a factor in their decision as to whether to investigate, he adds.
The Baltimore Incident
Among the recent compromises involving sensitive health data was a ransomware attack targeting Man Alive Inc. Lane Treatment Center, a Baltimore-based, non-profit substance abuse and mental health facility.
In a Sept. 8 statement, Man Alive says that on August 24 and 25, a cyberattacker remotely accessed and "successfully executed a hack and breach of Man Alive's computer system in which the hacker installed ransomware on a Man Alive employee's computer and gained unauthorized access into our electronic patient records system."
The treatment center determined that the hacker accessed and downloaded patient files. The stolen information - summary patient profiles and lists - included patients' names, dates of birth, Social Security numbers, drug dosage information, insurance identification numbers, street addresses, phone numbers, emergency contact information, employment status and certain demographic data, Man Alive says.
"No patient records were lost due to the ransomware. No credit card information was compromised, nor is there any evidence at this time, except on an extremely limited basis, that more in-depth treatment records were downloaded or accessed, such as counselor notes or medical history," the Baltimore organization reports.
"Immediately upon learning of the cyberattack on August 25, we, along with the help of our highly skilled outside IT and data security vendor, began an in-depth investigation into how the attack occurred and took immediate steps to close identified security vulnerabilities. We have reported this incident to the FBI and are fully cooperating with its investigation into this matter. We are also evaluating our systems more broadly to improve security in light of the evolving cyber security landscape."
The Databreaches.net blog reports that a Man Alive patient database with sensitive personal and treatment information has been put up for sale on the dark web.
Man Alive did not immediately respond to an Information Security Media Group inquiry about that report. Also, Man Alive did not disclose the number of patients affected by the attack nor details about the nature of the ransomware attack and the response.
Among other recent hacker attacks exposing data on patients treated for mental health or substance abuse are those targeting:
- The New York State Office of Mental Health, which reported to the HHS a hacking incident affecting almost 22,000 patients. In a notification statement, the mental health office says that on June 17, its New York State Psychiatric Institute learned that, between April 28 and May 4, certain parts of its system were accessed by unauthorized individuals. Information relating to research participants that may have been accessed includes names, addresses, dates of birth, telephone numbers, email addresses, and, in some cases, Social Security numbers, driver's license or state identification numbers, and coded health-related information from interviews or questionnaires.
- Burrell Behavioral Health in Missouri, which on Sept. 2 issued a notification to an undisclosed number of patients that their PHI may have been compromised in a cyberattack that occurred July 6 and 7. Burrell says affected information may include clients' names, addresses, dates of birth, Social Security numbers, doctor's names, diagnoses, disability codes, health insurance numbers, treatments, treatment locations and medical record numbers, which may have been contained in an employee's compromised email account. "The information at risk varies for each individual," Burrell notes
Another recent breach of sensitive mental health information stemmed from an employee error, rather than a hacker attack.
That April incident, involving misplacing of paper records, affected about 1,200 patients at the Kern County Mental Health Administration in California, occurred during relocation of county mental health administration offices, the county says in a statement.
"During the move, a report was inadvertently left behind in a vacated section of the building that had been under construction," the statement says. The information in the report included name, internal medical record number, an internal service code and the associated unit where services were provided.
Breaches involving PHI of mental health or substance abuse treatment patients are reportable under HIPAA, but sometimes additional regulations come into play.
Mental health and substance abuse treatment information "certainly is sensitive, which is an important factor in any risk assessment related to a security breach, in determining whether notification is required," Nahra notes.
For example, even if no diagnosis or treatment information is compromised by a breach, just the unauthorized disclosure of the names of patients treated at mental health or substance abuse treatment centers can be particularly unsettling to individuals.
Also under federal confidentiality regulations - 42 CFR Part 2, from the Substance Abuse and Mental Health Services Administration, a unit of HHS - those that provide mental health or substance abuse treatment to patients under federally funded programs are required to take some special precautions in protecting sensitive patient data.
"Alcohol and drug abuse treatment information receives special protection under federal law, and there are potential criminal penalties for improperly disclosing it," Greene says. "That being said, the risk that federal prosecutors would bring criminal penalties against the victim of a cyberattack is likely low."
While the HIPAA Privacy Rule generally limits use and disclosure of PHI to those who have a need to know, 42 CFR Part 2 is much more stringent, says Holtzman of CynergisTek. "It sets limited circumstances under which mental health or substance abuse treatment data patient information may be used, disclosed or re-disclosed. ... And the majority of disclosures require written consent."
The Substance Abuse and Mental Health Services Administration, however, does not have an enforcement program monitor or respond to violations, Holtzman says. Nevertheless, he notes, "the malicious or intentional disclosure of substance abuse treatment information protected by Part 2 is a punishable criminal violation."
One privacy advocate contends that current regulations don't help enough in safeguarding sensitive patient information and claims there's a risk those protections will be further watered down.
"Unfortunately, industry and the government are both pressing Congress to remove the requirement that physicians obtain meaningful, informed consent before revealing information about mental illness and substance abuse disorders," says Deborah Peel, M.D., a psychoanalyst and founder of advocacy group, Patient Privacy Rights. "The lack of privacy causes people to avoid or delay medical treatment and lie or omit critical information. How can such a system ever work well when it causes people to act in ways that put health and life at risk?"