Hackers access personal data of 600K Houston-area patients | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

A cyberattack has exposed nearly 600,000 Houston-area mental health patients’ private personal and medical information. 

In July, Harris Health System announced that certain patient information had been accessed during the MOVEit attack. More than 200,000 people in the Houston area who’d received services from the county’s public health system may have been impacted, according to the U.S. Department of Health and Human Services’ Office of Civil Rights.

Last Thursday, the Harris Center for Mental Health and IDD, Harris County’s public mental health authority, announced it had also been targeted in the breach. Officials learned that Harris Center patient information had been exposed as part of the attack on June 20, according to a notice issued last week. Investigators later determined that hackers exploited the MOVEit system used by a service provider contracted by the Harris Center.   

The information exposed by the breach, depending on the individual, included the patient’s name, address, date of birth, Social Security number, health insurance information and “protected health information.” According to the Harris Center, the breach did not expose the Center’s electronic medical records nor any patient financial information. According to the U.S. Department of Health and Human Services, 599,367 individuals were impacted by the breach, nearly triple the number of Harris Health System patients exposed.

“The Harris Center does not directly use MOVEit. We are working closely with this service provider to identify all Harris Center clients impacted by this breach. As of August 18th, we have begun notifying those impacted, as required by the Office for Civil Rights (OCR),” a Harris Center spokesperson told Chron in an email. The Harris Center declined to identify the service provider impacted by the MOVEit breach.