A portal operated by a partner and used by the mental health service provider was left without any security protection and could have given attackers the ability to access personal information of their patients. The information was found to be vulnerable sometime in August of last year and it included patient names, addresses, phone numbers, DOB, gender, service dates and types, driver’s license numbers, SSN’s, and insurance information. The portal has since been taken down and BBH has affirmed that none of the exposed information was accessed by attackers and they stated that the ePHI was in a format that was not able to be found through an online search. Free identity monitoring and protection services are being provided by BBH as well as credit reports being made available by Equifax, Experian, and TransUnion.
Analyst Notes
Users who may have been affected should take advantage of the free credit monitoring service being provided. All entities where Social Security numbers are used should be contacted and made aware of possible fraud attempts.
