Centerstone Announces Data Breach | Console and Associates, PC

On August 5, 2022, Centerstone confirmed that the company suffered a data breach after an unauthorized party gained access to sensitive consumer data contained on Centerstone’s network through compromised employee email accounts. According to Centerstone, the breach resulted in the compromise of some patients’ names, addresses, social security numbers, dates of birth, customer identification numbers, medical diagnosis and treatment information, and health insurance information. Recently, Centerstone sent data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves against identity theft and other fraud.

If you have received a data breach notification, it is essential that you understand what is at risk and what you can do about it. To learn more about how to protect yourself against fraud or identity theft and what your legal options are following the Centerstone data breach, please see our recent article on the subject. here.

What we know about the Centerstone data breach

According to a press release issued by the company, on February 14, 2022, Centerstone identified what appeared to be suspicious activity within its messaging system. In response, the company secured all employee email accounts and launched an investigation into the incident. The company’s investigation confirmed that an unauthorized party gained access to three employee email accounts between November 4, 2021 and February 14, 2022, a period of more than three months.

After discovering that sensitive consumer data was accessible to an unauthorized party, Centerstone then reviewed the affected files to determine what information had been compromised and which consumers had been affected. Although the information disclosed will vary depending on the individual, it may include your name, address, social security number, date of birth, client number, medical diagnosis and treatment information, and health insurance information.

On August 5, 2022, Centerstone sent data breach letters to everyone whose information was compromised as a result of the recent data security incident.

Based in Nashville, Tennessee, Centerstone is a nonprofit health system that provides mental health and addictions treatment through counseling, care, and various treatment programs. Centerstone also provides medical care and pharmaceutical services, crisis services, residential services and therapeutic foster care services. Centerstone operates more than 170 locations nationwide, most of which are located in Indiana, Tennessee, Illinois, Kentucky and Florida. Centerstone employs more than 35,000 people and provides care to more than 120,000 patients each year.

Data breach victims should pay close attention to their protected health information

Centerstone data breach leaked important information. Among the hacked data was the protected medical information of some patients. Healthcare data breaches have become extremely common in 2022. Indeed, over 2 million victims have had their PHI compromised this year alone.

As cybercriminals and other malicious actors continue to focus their efforts on obtaining protected health information from patients, it is extremely important for victims of a health data breach to understand what is at risk and what are their options.

The first step is to understand what is meant by “protected health information”. Protected Health Information, often referred to as PHI for short, is demographic information, medical history information, test and lab results, mental health information, insurance information, and other data that medical professionals collect to identify a patient and determine appropriate treatment. The collection and use of PHI is governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

However, not all health care data is protected health information. For health information to be considered “protected”, it must contain at least one identifier. According to HIPAA, there are 18 different identifiers, including:

  • Last name;

  • Address (something more specific than a state);

  • Social Security number;

  • Dates (more precise than a simple year) related to an individual, such as a patient’s date of birth, date of admission, etc. ;

  • E-mail address;

  • Phone number;

  • Fax number;

  • medical file number;

  • Health plan beneficiary number;

  • Account number;

  • Certificate or license number;

  • Vehicle identifiers, such as serial numbers and license plate numbers;

  • Device identifiers and serial numbers;

  • Web URL;

  • Internet Protocol (IP) address;

  • Biometric IDs, such as a fingerprint or voice print;

  • Head-on photographs and other photos of identifying features; and

  • Any other unique identifying characteristic.

Given the very personal nature of PHI, health data breaches are of great concern. However, in addition to the privacy risks, there is also a very real risk of physical and financial harm. Hackers who obtain protected medical information may attempt to seek medical care on a victim’s behalf or sell the information to another party who intends to do the same. This not only leaves the victim liable for the bill, but can also result in misleading and incorrect information being added to their medical records.

Those who believe their protected health information has been compromised in a data breach should contact an experienced data breach attorney to discuss their options.