August 9, 2022

Centerstone Announces Data Breach

+ Follow Contact

Send

Embed

On August 5, 2022, Centerstone confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on Centerstone’s network through compromised employee email accounts. According to Centerstone, the breach resulted in the names, addresses, Social Security numbers, dates of birth, client identification numbers, medical diagnosis and treatment information, and health insurance information of certain patients being compromised. Recently, Centerstone sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Centerstone data breach, please see our recent piece on the topic here.

What We Know About the Centerstone Data Breach

According to a press release issued by the company, on February 14, 2022, Centerstone identified what appeared to be suspicious activity within its email system. In response, the company secured all employee email accounts and launched an investigation into the incident. The company’s investigation confirmed that an unauthorized party had access to three employee email accounts between November 4, 2021 and February 14, 2022—a period of more than three months.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, Centerstone then reviewed the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, Social Security number, date of birth, client ID, medical diagnosis and treatment information, and health insurance information.

On August 5, 2022, Centerstone sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

Based in Nashville, Tennessee, Centerstone is a non-profit health system providing mental health and substance abuse disorder treatments through counseling, care, and various treatment programs. Centerstone also provides medical care and pharmacy services, crisis services, residential services and therapeutic foster care services. Centerstone operates more than 170 locations nationwide, most of which are located in Indiana, Tennessee, Illinois, Kentucky, and Florida. Centerstone employs more than 35,00 people and provides care for more than 120,000 patients each year.

Data Breach Victims Must Play Close Attention to Their Protected Health Information

The Centerstone data breach leaked significant information. Included in the breached data was the protected health information of certain patients. Healthcare data breaches have become extremely common in 2022. Indeed, there have been more than 2 million victims who had their PHI compromised this year alone.

As cybercriminals and other bad actors continue to focus their efforts on obtaining patients’ protected health information, it is incredibly important for victims of a healthcare data breach to understand what is at risk and what their options are.

The first step is to understand what is meant by “protected health information.” Protected health information, which is often called PHI for short, is demographic information, medical history information, test and laboratory results, mental health information, insurance information and other data that healthcare professionals collect to identify a patient and determine the appropriate course of care. The collection and use of PHI are governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Not all healthcare-related data is protected health information, however. For health information to be considered “protected,” it must contain at least one identifier. According to HIPAA, there are 18 different identifiers, including:

Name;
Address (anything more specific than a state);
Social security number;
Dates (more specific than just a year) related to an individual, such as a patient’s birthdate, admission date, etc.;
Email address;
Phone number;
Fax number;
Medical record number;
Health plan beneficiary number;
Account number;
Certificate or license number;
Vehicle identifiers, such as serial numbers and license plate numbers;
Device identifiers and serial numbers;
Web URL;
Internet protocol (IP) address;
Biometric IDs, such as a fingerprint or voice print;
Full-face photographs and other photos of identifying characteristics; and
Any other unique identifying characteristic.

Given the very personal nature of PHI, healthcare data breaches are very concerning. However, aside from the privacy risks, there is also a very real risk of physical and financial harm. Hackers who obtain protected health information may attempt to obtain medical care in a victim’s name or sell the information to another party who intends on doing the same. This not only leaves the victim responsible for the bill but can also lead to misleading and incorrect information being added to their medical records.

Those who believe their protected health information was compromised in a data breach should reach out to an experienced data breach lawyer to discuss their options.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.