Business Associate Error Impacted Burrell Behavioral Health Patients’ PHI


Burrell Behavioral Health notified 67,493 patients regarding the accidental compromise of their healthcare information because of an error at an unnamed business associate in August 2018 .

The business associate stored images that include the protected health information (PHI) of some patients at Burrell Behavioral Health. Because the internet-facing portal used by the business associate sustained an error, patient data was exposed. Visible information contained on the images included names, addresses, telephone number, gender, birth dates, dates of service, types of service provided, health insurance data, driver’s license numbers and Social Security numbers.

Burrell Behavioral Health knew about the incident on January 30, 2019 and advised its business associate about it. The server was secured by the business associate immediately.

To get information about the exposed information, and to verify if there was PHI access, a forensic team carried out an investigation. It was reported that patient information was uploaded to the business associate’s server in August 2018. There was no evidence that information was accessed, not even by automated website crawlers and scanners. This may be because of the images’ file formats, which are not usually found online through general web surfing or searches.

The investigators concluded that unauthorized data access was highly unlikely. Nevertheless, as a precaution, patients whose Social Security numbers were exposed received offers of identity theft monitoring and protection services at no cost.

Burrell Behavioral Health has enforced measures to avoid breaches of the same type and is working on some technical and administrative security options together with its business associates to further protect patient information.