Data breach at Texas behavioral health center affects more than 24,000
A data breach at Texas behavioral health provider Texoma Community Center affected more than 24,000 people and highlights how timelines for breach notification may lag behind security events—even when the most sensitive information is compromised.
Texoma is a nonprofit that specializes in delivering mental health and substance abuse services. The public notice posted on its website last week says the organization “became aware of suspicious activity relating to several employee email accounts that were sending unauthorized messages,” on October 20 of last year and “immediately launched an investigation.” However, it took nearly 10 months for the center to notify stakeholders, including health authorities, of the breach.
With the help of unspecified outside forensics specialists, the organization discovered “that an unauthorized actor accessed several employee email accounts between September 24, 2020 and December 1, 2020”—suggesting that the compromise continued for more than a month after suspicious activity was noticed.
It wasn’t until July 15 of this year that the organization “identified the individuals potentially impacted by this incident after a thorough manual review” of the compromised email accounts, according to the disclosure. The level of compromise varies by individual, but an extensive list of information, some of it incredibly sensitive, was exposed as part of the hack, including:
“date of birth, medical history, treatment or diagnosis, health information, health insurance information including policy and/or subscriber information, insurance application and/or claims information, birth certificate, marriage certificate, digital signature, facial photograph, email address and password, unique biometric data, vehicle identification number, username and password, military identification number, and for a smaller number of individual may include Social Security number, driver’s license number, financial account information, and credit or debit card number.
Healthcare providers are generally required to notify people affected by breaches of protected health information within 60 day under U.S. Department of Health and Human Services’ Breach Notification rules. However, HHS guidance makes it clear that the clock for notification starts ticking “the date the breach was discovered by the covered entity,” unless delay is requested by law enforcement.
Texoma Community Center’s notification did not reference working with law enforcement to respond to the breach, and the organization did not respond to The Record’s inquiry about the timeline of its investigation and notification processes. HHS declined to comment on the specific incident.
Under HHS rules, covered entities that suffer breaches of health information affecting more than 500 people are also supposed to notify local media and the agency.
HHS publicly releases data about those reports. The agency’s database shows Texoma Community Center reported a “Hacking/IT Incident” involving email that affected 24,030 people on August 16th of this year.
The Texoma Community Center is notifying those affected for whom it has addresses by mail, per the website notice, and operating a hotline for patients to call for information about their status. The organization also shared resources related to preventing or limiting the impact of identity theft, including credit freezes.
The healthcare sector has long been the target of digital attackers, including ransomware gangs seeking profit and state actors seeking intelligence. The Texoma Community Center breach highlights how this epidemic of digital attacks affects smaller service providers who may not always have easy access to expertise or resources to quickly contain, investigate, and disclose when sensitive information is compromised.