On October 24, 2024, Gándara Center reported a data security breach that exposed the protected health information (PHI) of current and former patients.
Gándara Center, a Massachusetts-based behavioral health and substance abuse service provider recently announced a data breach that compromised 17,000 patients’ health data.
Unusual network activity was first detected on June 20, 2024, and further investigation revealed that an unauthorized third party gained access to patients' names, Social Security numbers, dates of birth, driver's license numbers, medical treatment or diagnosis information, and health insurance information.
The organization began mailing letters to the affected persons on October 23, 2024 and has offered credit monitoring services and identity protection through Identity Defense to the potentially impacted individuals. The organization also notified relevant regulatory authorities including the FBI and the HHS Office for Civil Rights.
In their security notice, Gándara Center said, “The privacy and protection of personal and protected health information is our top priority, and Gándara deeply regrets any inconvenience or concern this incident may cause.”
Protected health information (PHI) is a major target in healthcare cyberattacks, with threat actors exploiting cybersecurity vulnerabilities for financial gain. PHI includes any information on a patient's health status, medical treatment, or payment for healthcare that can identify the individual, such as names, addresses, birthdates, Social Security numbers, medical records, and other personal identifiers tied to healthcare services.
Although HIPAA regulations mandate healthcare providers to secure PHI, data breaches often reveal gaps in compliance and readiness. The Gándara Center breach emphasizes that health organizations must improve cybersecurity protocols to protect patient trust and the business’s reputation.
Individuals who received a notification letter from the Gándara Center must use the information provided to protect themselves from potential identity theft and fraud.
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.