BANGOR, Maine — A hacker stole personal information belonging to more than 4,000 patients of a local psychiatric practice, including medical details and Social Security numbers, an investigation has found.
The data breach at Behavioral Health Center occurred March 14, when a hacker using an internet service provider from the eastern European country of Moldova accessed certain folders on the center’s server, BHC said Tuesday in a news release.
Since receiving a report of the breach on March 26, the practice determined that 4,229 records of Maine residents were compromised, the release states.
Medical information was among the illegally stolen data, potentially including diagnoses and notes entered by clinicians into patient files. The hacker also accessed addresses, Social Security numbers and phone numbers.
For some patients, entire records spanning years with the longtime agency could be at risk.
BHC provides outpatient therapy to children and adults for mental health conditions ranging from depression and anxiety to substance abuse, trauma and mood disorders.
The hacker defeated password security on a system that allows the center’s employees to access patient files remotely, according to David Farmer, a spokesman for the practice. That system was immediately disconnected and employees must access patient files from the center’s Court Street office, he said.
Investigators examined evidence of hacking left on the center’s systems but have no way to determine the veracity of claims made by an anonymous individual who purportedly sold the patient data through an online ad, Farmer said.
“Our top priority remains taking care of our clients,” William Donahue, owner of the mental health agency, said in the release. “When we learned of the problem with our systems, we immediately took steps to make sure that they were no longer vulnerable and launched an immediate investigation. Now, we’re putting in place protections for everyone who might have been affected.”
The center began sending notification letters to affected clients Tuesday with details about the breach and instructions to sign up for free credit monitoring. It contracted with CyberScout, a company that specializes in identity theft education and resolution, to monitor clients’ credit reports for 12 months.
“I know that people are going to be worried. At BHC, we’re doing everything within our means to make the situation better,” Donahue said. “We sincerely regret that this has happened and offer our apologies as we continue to work to remedy and address the incident.”
BHC notified the Office of Civil Rights at the U.S. Department of Health and Humans Services, the Maine attorney general and the Maine Department of Health and Human Services of the breach. It also contacted the FBI, according to the release.
Affected clients can call CyberScout’s helpline at 1-800-405-6108 for additional information about credit monitoring services. Information is also available at behavioralhealthcenter.com.