First, their press release:
(El Paso, Texas October 16, 2015) Emergence Health Network (EHN) is in the process of contacting individuals regarding an unauthorized disclosure of protected health information.
An EHN computer server was compromised in August through an unauthorized internet connection. The affected computer server was disabled to minimize a compromise.
It is not apparent that any medical information was disclosed based upon a third-party audit of the computer server and EHN does not have any proof that information such as social security number, date of birth, home address, was accessed or otherwise misused. However, in an abundance of caution EHN will notify, via written notification, the affected individuals; if they choose, can take necessary precautions regarding protection of their personal information such as contacting the credit agencies.
EHN has also already taken appropriate steps to avoid the threat of future data security compromises and is cooperating with officials in minimizing the potential effects of this incident.
To answer any questions or address any concerns, those individuals who receive the notification letter are encouraged to contact EHN at the following toll-free number or email address.
Toll Free phone number: 844-637-6466
Email: [email protected]
That doesn’t sound too bad, right? Except it turns out that the breach may have begun in 2012. From their notification letter of October 8:
We are sending you this letter to let you know that your protected health information may have been shared or seen without approval from you or Emergence Health Network (EHN). EHN is the local mental health authority for El Paso County and has previously been known as El Paso MHMR and Life Management Center. This letter is to let you know EHN is taking steps to correct the situation that caused your information to be exposed and to protect your information in the future.
What happened: EHN maintains personal information about you on several electronic computer servers which are connected to the internet. EHN is required to keep this information on computer servers in order to provide services to you. EHN became aware of strange activity on one of our computer servers on August 18, 2015. Someone, without permission from EHN, accessed the computer server through an internet connection. Because of the internet, the person or persons could have accessed this computer server from any location. A computer specialist inspected the computer server and found out that the first unapproved access of the server may have happened back in 2012. The information which was kept on the server included your first and last name, address, date of birth, social security number, case number, and information indicating that you accessed services from Life Management Center/ El Paso MHMR/Emergence Health Network. We are confident that no medical records were contained within the server.
What EHN is doing: EHN quickly disconnected the computer server from the internet when the suspicious activity was discovered. EHN is taking steps to keep this from happening again by using more secure methods for transmitting, maintaining, and safeguarding your protected health information. EHN is cooperating with state and federal agencies to report this breach.
The letter does not indicate how far back their stored patient data goes and whether it includes inactive patients, although it seems likely from the situation described.
The incident was reported to HHS on October 16th as impacting 11,100 patients.