Behavioral Health Data Breach, Mental Health HIPAA breach , Behavioral Data Breach, Behavioral HIPAA Breach

Behavioral Health Data Breach


Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

Behavioral Health Data Breach Affects 67,000

A behavioral health practice based out of Springfield, Missouri has notified 67,493 patients of a behavioral data breach involving their medical data. The breach occurred in August of 2018–however, what makes this behavioral HIPAA breach unique is that a vendor, not the provider itself, was ultimately responsible for the breach.

This raises serious concerns about the growing trend of data breaches affecting health care organizations and their patients originating from a behavioral data breach caused by a vendor. Under HIPAA regulation, a mental health HIPAA breach that is caused by a vendor can ultimately impact providers if there isn’t an effective compliance program in place.

Behavioral HIPAA Breach

According to the behavioral health data breach notice, Burrell Behavioral Health reported that its business associate had an internet-accessible portal that contained health care data that it was maintaining on behalf of the practice. The data breach occurred when a server was made available to the public which contained the names, addresses, phone numbers, birth dates, and services rendered, insurance information, driver’s license numbers, and Social Security numbers of Burrell’s patients.

An investigation into the behavioral health data breach was conducted, which revealed that the data was not made available through search engines. However, the fact that the information was made publically available still constitutes a data breach.

HIPAA regulation defines business associates as any vendors who are paid to handle to handle protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include a patient’s name, address, phone number, email address, Social Security number, insurance ID number, and medical records, to name a few.

HIPAA regulation demands that providers execute a business associate agreement (BAA) with any business associates before any PHI can be shared. That means that telehealth providers who work with video chat platforms, cloud storage providers, patient portals, and billing services, must ensure that BAAs have been executed before any PHI may be accessed by those vendors.

BAAs are one of the most effective ways of protecting your behavioral health practice from liability in the event of a mental health HIPAA breach that has been caused by a vendor. In this case, Burrell Behavioral Health says that they have an effective security program in place, but fail to mention if a BAA was executed with their vendor.

This is just one of many behavioral health data breaches affecting healthcare organizations around the country day after day. With the increasingly digital nature of health care information, HIPAA compliance and data security must become a priority for maintaining the privacy and security of patient data.

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x