Health Recovery Services in Athens, OH, which provides alcohol and drug addiction services, notified 20,485 patients about the potential access of an unauthorized person to some of their protected health information (PHI).
An unauthorized IP address that got remote access to Health Recovery Services’ computer network was discovered on February 5, 2019. To stop further unauthorized access, they took the network and data systems offline and retained a forensic expert to investigate and find out the nature and extent of the breach.
According to the investigation findings given on March 15, 2019, the IP address accessed the network starting on November 14, 2018 until February 5, 2019. There was no evidence found which indicate the access or copying of any patient information. But it’s still possible that data was accessed or stolen.
Patients who had their protected health information (PHI) compromised received notifications by mail. The following types of patient data were found on the compromised server: names, addresses, phone numbers, and birth dates. The medical data, health insurance details, diagnoses, treatment details, and Social Security numbers of Health Recovery Services patients who received treatment after 2014 were also exposed.
Health Recovery Services made sure its entire network is totally secure and free from security risks. The entity also re-evaluated its policies, procedures, and cybersecurity controls and will improve them to stop other data breaches. Health Recovery Services will also take some action on limiting the damage that can be suffered if a network server breach happens again in the future.