Breaches Due to Sunshine Behavioral Health Group System Misconfiguration and Lake County Behavioral Health Burglary

Sunshine Behavioral Health Group located in Portland, OR provides healthcare companies with business services. The group submitted a breach report of its web-based system where patient medical records were stored. Due to an accidental misconfiguration, anyone could access patient data online.

The group uncovered the problem on September 4, 2019 and immediately executed access controls to prevent unauthorized access to patient records. On November 14, 2019, the group also restricted access to patient records online.

On December 23, 2019, Sunshine Behavioral Health Group confirmed that the following information was contained in a folder located in the cloud-based system: names, physical addresses, debit/credit card numbers, digital signatures of individuals who paid for medical services, security codes, and expiry dates.

The people whose data were exposed included those who paid for services at the addiction treatment and rehabilitation centers of Willow Springs Recovery, Chapters Capistrano, Mountain Springs, and Monarch Shores.

The group provided all people who had their data exposed two years of complimentary MyIDCare protection services.

The incident has not been published on HHS’ Office for Civil Rights breach portal so it is uncertain at the moment how many individuals were impacted.

Patient Data Exposed Due to Lake County Behavioral Health Burglary

A break-in at Lake County Behavioral Health in Clearlake, CA on December 5, 2019 resulted in the stealing of a locked filing cabinet which has the health records of clients.

The stolen records may contain the following information about the patients: names, contact numbers, prescription medications, case numbers, consultation schedules, payments, and amounts due. One file additionally contained a patient’s birth date, healthcare history, Social Security number, income verification details, disability status, Medi-Cal ID number and record of substance use.

Lake County Behavioral Health sent breach notifications by mail to all patients whose information was taken and instructed them to send a fraud report in case of data misuse. All remaining patient records were moved to a locked room inside the facility that is secured with an alarm system and 24-hour video monitoring. The break-in is still under investigation by the Clearlake Police Department. There is no apprehension yet so far.