Updated September 13: This incident was reported to HHS as affecting 1,654 patients.
On September 11, Psych Associates of Maryland LLC d/b/a Bloom Health Centers (“Bloom Health”), a mental health service provider, announced a data security incident that involved the personal and protected health information of some clinicians and patients.
Before digging into the details, note that some affected patients may have been treated by a Bloom Health doctor at Dominion Hospital. Dominion Hospital is not affiliated with Bloom Health Centers, but allows Bloom Health providers to serve their patients at the hospital. Additionally, certain patients may have been originally seen at companies acquired by Bloom Health, including Psych Associates of Maryland, Comprehensive Behavioral Health, and Kraus Behavioral Health.
According to Bloom’s statement, on July 5, 2023, they became aware of suspicious activity in its email environment. A subsequent investigation revealed that identified that certain files within one clinician’s mailbox may have been accessed without authorization on or around June 23, 2023. The attacker was then able to obtain access to the associated OneDrive.
“Please note that at this time, we currently have no evidence to suggest misuse or attempted misuse of this information,” they write, but the information in the compromised account may have included name, address, phone number, email address, diagnosis and medication details, health insurance information, and for a limited number of individuals, Social Security number.
A copy of their notification is linked from the home page of the website.
On September 1, Bloom notified HHS that 1,545 patients were affected by the incident.