In April 2023, Brightside Health, Inc. reported a breach to HHS that affected 767 patients. The incident was coded as “unauthorized access/disclosure” of information located in “EMR, other.” HHS’s closing statement on the public breach tool described the incident this way:
The covered entity (CE), Brightside Health, reported that an unauthorized individual accessed the protected health information (PHI) of 767 individuals. The PHI involved included names, Social Security numbers, addresses, and diagnoses. The CE notified HHS and affected individuals. In response to the breach, the CE sanctioned the responsible employee and implemented additional administrative and technical safeguards and retrained its staff. OCR provided technical assistance regarding the HIPAA Security Rule.
That description doesn’t even begin to communicate how serious this incident was, but an article by Brett Kelman on KFF News does. Kelman’s article is republished below with permission.
Brett Kelman
July 2, 2024
Hundreds of Americans may have unknowingly received therapy from an untrained impostor who masqueraded as an online therapist, possibly for as long as two years, and the deception crumbled only when she died, according to state health department records.
Peggy A. Randolph, a social worker who was licensed in Florida and Tennessee and formerly worked for Brightside Health, a nationwide online therapy company, is accused of helping her wife impersonate her in online sessions, according to an investigation report from the Florida Department of Health.
The Florida report says the couple “defrauded” patients through a “coordinated effort”: As Randolph treated patients in person, her wife pretended to be her in telehealth sessions with Brightside patients. The deceit was discovered after the wife died last year and a patient realized they’d been talking to the wrong person, according to a Tennessee Department of Health settlement agreement.
Records from both states identify Randolph’s wife only by her initials, T.R., but her full name is in her obituary: Tammy G. Heath-Randolph. Therapists are generally expected to have at least a master’s degree, but Randolph’s wife was “not licensed or trained to provide any sort of counseling services,” according to the Tennessee agreement.
“[Randolph] denies knowing that T.R. was using her Brightside Health Therapist Portal log-in credentials or treating clients under her account. However, [she] received compensation for the sessions conducted,” the agreement states.
The alleged ruse has not been previously reported and its details and scope were only recently glimpsed in a few pages of public documents released by the state agencies. The Tennessee settlement, released in May, states that Randolph was supposed to provide online therapy to “hundreds of clients” while working for Brightside Health from January 2021 to February 2023. However, a Brightside internal investigation found it was actually Heath-Randolph who was “seeing all her patients and had been for a long time,” according to the Florida investigation report.
Randolph declined to comment.
The Florida and Tennessee records say Randolph voluntarily surrendered her social worker’s licenses in both states. This resulted in the health departments dropping their investigations, which limited the case details and documents available in the public record. Brightside’s internal investigation report has not been made public.
Brightside Health, a San Francisco company that offers nationwide online psychiatry and therapy sessions, declined to make an official available for an interview.
Company spokesperson Hannah Changi said in an email that as soon as Brightside learned of the allegations, it audited its security, fired Randolph, and reported her to state licensing authorities. Changi said Brightside can’t say how many patients were seen by Randolph’s wife “due to the nature of the incident and ongoing legal proceedings,” but said the company notified and refunded all “potentially impacted patients.”
“We take our patient experience seriously and hold ourselves to a high ethical code of conduct,” Changi said. “We’re extremely disappointed that a single provider was willing to violate the trust that Brightside and, most importantly, her patients had placed in her.”
Brightside was also required to alert the U.S. Department of Health and Human Services, which investigates data breaches that expose private medical information. In this breach, an “unauthorized individual” accessed the info of 767 people, including Social Security numbers and diagnoses, according to the agency’s online database.
Neither Florida nor Tennessee health officials answered questions about the case.
Dean Flener, a spokesperson for the Tennessee Department of Health, said details of Randolph’s case remain confidential under state law.
Jae Williams, a Florida Department of Health spokesperson, said a full investigation was not completed because Randolph surrendered her license, which has the same effect as the state revoking it but allowed her to keep “what dignity she had left.”
KFF Health News is a national newsroom that produces in-depth journalism about health issues and is one of the core operating programs at KFF—an independent source of health policy research, polling, and journalism. Learn more about KFF.
Subscribe to KFF Health News’ free Morning Briefing.