Valley Hope Association (VHA), a Kansas-based addiction treatment organization with 16 facilities in seven Midwest states has started notifying patients that their information may have been compromised in a data breach.
After officials found suspicious activity on an employee’s email account in October, an investigation was launched. VHA hired a forensics team to uncover details about the suspected email hack. On November 23, research confirmed that a cybercriminal accessed an employee’s email account on either October 9 or 10.
Information that may have been compromised in the breach includes identifiers such as, social security numbers, dates of birth, financial account information, patient claim or billing information, driver’s license or state identification card numbers, health insurance information, medical record numbers, medications, and more. No medical diagnosis or treatment information was involved in the breach.
VHA has not specified the number of patients involved in the breach but will be sending out detailed notifications to those affected. The organization will also be offering each breach victim one year of free credit monitoring and identity protection services.
Following the incident, VHA has started adding additional security measures to safeguard patient data. The organization is also reviewing their policies and procedures to see what they can do to improve their security.
The breach was reported to the Department of Health and Human Services’ Office for Civil Rights, as well as state and credit reporting agencies. Further details regarding the incident are expected to be released on HHS’ website for data breaches in the near future.