DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

MO: Burrell Behavioral Health notified more than 67,000 patients whose ePHI were exposed by business associate

Posted on March 30, 2019 by Dissent

On March 29, Burrell Behavioral Health published a news release about an unnamed business associate accidentally exposing ePHI of more than 67,000 patients back in August, 2018. Burrell’s notification, reproduced below, does not indicate when the problem was first detected nor how they learned of it, but it was they who notified their business associate to secure the portal access.  Today, they said that there’s no evidence that any  personal information was stolen.

This is the second time in the past two years that Burrell has disclosed an incident and claimed that there was no evidence that any data had been stolen. How long can their luck hold out?

This incident is not up on HHS’s breach tool as of the time of this posting.

SPRINGFIELD, Mo. (News Release) — Burrell Behavioral Health recently sent letters to clients informing them that a business associate’s Internet-facing portal, which contained electronic images of Burrell’s protected health information (“ePHI”), was improperly secured and potentially permitted access to unauthorized individuals.

The ePHI was loaded on the server in August, 2018 and contained medical record information for up to 67,493 individuals, which could include one or more of the following: name, address, telephone number, date of birth, gender, date of service, type of services, insurance information, driver’s license number, and social security number. Burrell will notify potentially affected clients via letter and by substitute notice posted on Burrell’s website.

Upon discovery, Burrell immediately contacted its business associate to shut off portal access and launched an investigation. Computer forensics experts determined that there was a very low probability that any information was actually accessed; there was no evidence that any unauthorized individuals or automated website crawlers or scanners had accessed the ePHI and the ePHI was formatted in a manner that did not allow access through general internet searches or casual internet browsing.

Identity monitoring and protection services will be offered free of charge, as appropriate, for individuals whose social security number has been compromised by this incident. Affected individuals, or those who want to know whether or not they were affected, may call 1-(855) 571-5874, Monday through Friday, 8 a.m. to 5 p.m. CDT beginning Wednesday, April 3, 2019.

“We value the privacy and security of patient protected information and we are committed to protecting the confidentiality and privacy of our patients,” said Darren Johnson, Vice President, Information Technology for Burrell. “It is our priority to support those who have been affected.”

“We are taking the necessary and appropriate steps to prevent this type of incident from occurring in the future,” Johnson said. “We have an effective security program, but we are continuing to evaluate and implement additional administrative, technical and physical safeguards to protect ePHI. We are working with all of our business associates to ensure all ePHI is appropriately secured, and that additional technical and administrative safeguards are implemented to permit the secure transition of paper medical records to electronic form.”

Concerned individuals may wish to obtain a free credit report from each of the credit reporting bureaus – Equifax, Experian and TransUnion. The credit bureaus’ information is below:

Equifax: 888-298-0045, www.equifax.com

Experian: 888-397-3742, www.experian.com

TransUnion: 800-680-7289, www.transunion.com

Related posts:

  • TX: Statement and Frequently Asked Questions about the 2018 ERS OnLine Security Incident
  • Burrell Behavioral Health Provides Notice Of Data Security Incident
  • Equifax Reaches $1.4 Billion Data Breach Settlement in Consumer Class Action; Also Agrees to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach
  • Madison Square Garden Company Alerts Customers of Payment Card Data Breach
Category: Breach IncidentsExposureHealth DataSubcontractorU.S.

Post navigation

← NY: Albany attacked by ransomware hack, mayor says
Cyber attack at Newport schools didn’t expose student data →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.