Mental health center Highland Health Systems based in Anniston, AL sent notifications to 83,543 people with regards to a cyberattack discovered on July 3, 2023 that potentially resulted in the unauthorized access to some patients’ sensitive personal data. After identifying suspicious activity, the health center secured its systems and engaged a cybersecurity company to carry out a forensic investigation. The investigation confirmed that an unauthorized third party acquired access to files on its system.
An analysis of the incident was performed to find out the number of patients impacted and the types of data exposed. Highland Health Systems finished the analysis on May 24, 2024 and hired a third-party notice vendor on May 28, 2024 to manage the sending of breach notifications. Notifications were sent on June 13, 2024 after verifying the exposed data and getting the updated addresses of impacted individuals. This notice is meant to advise affected individuals about the incident so they can take steps to avert the misuse of their information.
The breached data included names along with at least one of these data elements: birth date, Social Security number, payment card number and PIN, account number, email address and password, health data, medical insurance details, tax ID, routing number, and state ID or driver’s license number.
Highland Health Systems has adopted new security tracking software, modified administrative credentials, implemented new encryption technologies, and added extra NIST-compliant technical systems. Security guidelines and procedures were revised and employees had undergone HIPAA training.
Highland Health Systems did not receive any report of misuse of the breached data but has provided the impacted persons with free 12-month credit monitoring and identity theft protection services. Affected individuals are instructed to be wary against occurrences of identity theft and fraud, and to check their account statements and credit reports for strange or unauthorized transactions.
Highland Health Systems is sorry for the inconvenience caused by this incident and assures that it is committed to protecting the privacy and safety of all data in its possession.
