University Behavioral Center (“our Organization”) is providing notice of an incident that involved our patients’ protected health information (“PHI”). Letters were mailed to potentially affected patients or their parents/guardians on March 29, 2023.
Adelanto HealthCare Ventures, L.L.C. (“AHCV”) is a consulting company that works for one of our business associates. As part of these services, our business associate may provide AHCV with certain claim information on our patients. On November 5, 2021, AHCV became aware of suspicious activity and determined that two AHCV employee email accounts had been accessed without authorization as a result of a phishing incident. Initially, AHCV did not believe the incident involved any PHI of our Organization. It was not until August 19, 2022 that our business associate learned that certain PHI may have been involved.
Once our business associate learned of the incident, it launched an investigation into the matter and worked with AHCV to gather additional information on the incident to enable our business associate to determine whether there was a low probability that the PHI was compromised. Unfortunately, our business associate did not receive sufficient information to conduct this analysis until December 27, 2022. There is no evidence to date to suggest that the PHI was copied or misused, but our business associate notified our Organization of the incident on January 28, 2023. Once we received this notice, we worked with our business associate to take the steps needed to provide notification to individuals.
The emails contained the patient’s full name and some or all of the following: facility name, age, patient account number, admission and discharge date, insurance carrier, and balance information. Please note the emails did not contain Social Security numbers, credit card numbers or other financial information.
Our Organization began mailing notification letters on March 29, 2023. We have also confirmed that AHCV is expanding its security measures in light of the incident and assessing additional training and security reminders for its employees. Our business associate has counseled its own employees on the incident and best practices, and is determining whether additional steps are needed. We also provided other required notices of this incident, such as notice to the U.S. Department of Health and Human Services.
While we are unaware of any actual or attempted misuse of PHI, we are offering impacted patients with 12 months of internet surveillance and identity restoration services through Experian at no charge. Individuals can refer to their notification letter for enrollment instructions.
Our Organization is committed to providing quality care, including protecting personal health information, and has policies and procedures in place for protecting and safeguarding patient information. Individuals with additional questions, may call our dedicated assistance line at (800) 910-4035 (toll-free), Monday – Friday, 9:00 a.m. to 11:00 p.m. Eastern Time, and Saturday – Sunday, 11:00 a.m. to 8:00 p.m. Eastern Time, excluding holidays. This line will remain open until July 31, 2023. Please provide engagement number B087604 when calling. If you did not receive a letter, but would like to know if you were affected, please contact our dedicated assistance line.