A local psychiatric practice is investigating the illegal hacking of patient records and possible sale of its clients’ confidential information to an anonymous bidder.
Behavioral Health Center, a longtime outpatient mental health practice near downtown Bangor, is working to determine the nature and extent of the breach, including what patient information was accessed and how many clients are potentially at risk, according to David Farmer, a spokesman for the practice.
“We are going to do everything in our power to make sure that any client who is affected by this theft of data is protected and to make sure that we do all that we can to prevent any future deceitful attacks,” he said.
The independent practice, owned by clinical social worker William Donahue, learned of the breach in March from DataBreaches.net, a website that tracks and reports on such hacking, Farmer said.
The site detailed alarming specifics about the breach, based on a March 18 ad reportedly posted by an individual seeking to sell the patient data for at least $10,000. The seller claimed to possess not only patient names, addresses and Social Security numbers, but also highly sensitive medical histories, including substance abuse and psychiatric evaluations, as well as clinician notes from therapy sessions, “sometimes spanning hundreds of sessions over years,” the site reported.
The seller indicated that the records date back to 2007. In a subsequent post, the seller estimated that the records belonged to 3,000 to 3,500 patients, according to DataBreaches.net.
The ad was posted on the “dark web,” a secretive part of the Internet that requires special software to access.
The site reported that the seller later updated the listing with the word “sold.” The seller did not respond to an inquiry from the site about how he or she acquired the files or how the unidentified buyer intended to use the data. The site was unable to confirm that the files were sold.
DataBreaches.net identified BHC as the source of the files after the alleged sale, using a redacted sample the seller provided. The site informed the practice of the breach on March 26, it said.
BHC took immediate steps to investigate and it remains unclear whether the seller’s claims are accurate and how the practice’s security measures were overridden, Farmer said. The practice is waiting on an IT investigation report that is also expected to address whether the hacking could be a scam, he said.
BHC has been contact with the FBI about the incident, Farmer said.
“We are still working with our forensic experts to make a determination about the nature of the breach,” he said.
The practice locked down its patient records system to prevent any further unauthorized access and will notify affected clients once the extent of the hacking becomes clear, Farmer said. It’s also consulting with legal counsel to fulfill any obligations to inform state and federal authorities, he said.
Federal law generally requires health organizations to inform the government and affected patients of data breaches involving private health information. If more than 500 patients are at risk, the media typically must be alerted.
Under Maine law, consumers must be notified when their computerized personal information is lost or stolen and companies may also be required to report breaches to the attorney general’s office.
BHC provides outpatient therapy to children and adults for mental health conditions ranging from depression and anxiety to substance abuse, trauma and mood disorders.
“We take this very seriously,” Farmer said. “We have relationships with our clients and we want to take care of them and that includes their health care but it also includes their data.”