Mount Carmel Behavioral Health, a mental and behavioral health treatment center, recently reported a data breach.
What happened
Mount Carmel Behavior Health (MCBH) is a Columbus, Ohio-based treatment center that provides inpatient care for adults facing mental or behavioral health challenges. The health center frequently serves patients with various psychiatric diagnoses accompanied by addiction. Their team offers assessments, therapy, and more.
MCBH filed a notice of a data breach with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The HHS lists the breach as “under investigation,” which is common for recent breaches.
According to the HHS, the breach impacted approximately 500 individuals.
In a notice from MCBH, an unauthorized user accessed patient information, including names, dates of birth, addresses, medical record numbers, patient account numbers, health insurance information, diagnoses and treatment information, and for a small number of patients, Social Security numbers.
Going deeper
MCBH said the breach was caused by a phishing incident, which occurs when a malicious actor poses as a valid individual to gather information or credentials. In this case, the unauthorized actor was ultimately able to access one employee's email account.
According to the notice, MCBH first discovered the incident on June 12th, 2024. Upon discovery, the healthcare organization immediately began an investigation with the help of a forensic investigation firm.
The investigation determined that the employee’s email account was accessed between June 11th and June 12th, 2024.
Notifications to impacted patients were sent between August 9th and August 30th. Individuals whose Social Security numbers were included in the breach are being offered free credit monitoring and identity protection services.
“We take this incident very seriously and sincerely regret any concern this may cause,” said MCBH’s statement. “To help prevent something like this from happening again, we have implemented additional safeguards and technical security measures to further protect and monitor our systems.”
The big picture
Phishing incidents are often preventable with the right spam filters and staff education. Although many malicious actors are growing more sophisticated, there are signs that the email may not be from a legitimate sender. Signs may include the email coming from a different domain, spelling errors, or the sender asking questions that seem unrelated to their job title or role.
For MCBH, this breach could decrease trust in the organization, and if data is misused, it could result in costly legal penalties or a class action suit. For smaller organizations like MCBH, legal fees and repercussions can be difficult to overcome. As attacks continue, it’s wise for organizations to carefully consider their email security and if the best safeguards are in place.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
