Saco-based nonprofit mental health care provider Sweetser has notified 22,000 current and former clients that their sensitive personal and medical information may have been stolen by hackers in an email security breach in June.

Notification letters were sent Friday to potentially impacted clients, according to Sweetser, which said it doesn’t know whether the intent of the breach was to steal clients’ personal information. The organization provides a variety of mental health services to children and adults, including individual and group therapy, psychiatry and substance abuse counseling services.

A leading mental health care advocate in Maine said the data breach could have wide-ranging negative effects beyond cybercrimes such as identity theft. She said it could erode trust between patients and their providers, and discourage Mainers in need of mental health services from obtaining them.

“On average, people wait 10 years before they seek mental health therapy because of society’s stigma,” said Jenna Mehnert, executive director of the Maine chapter of the National Alliance on Mental Illness. “The discrimination people experience related to their mental health challenges is still very real, so concern that their information will be shared and that it will have a negative impact is legitimate.”

Sweetser said it detected unusual email activity on June 24 and soon after learned an unauthorized third party may have gained access to an employee’s email account. Once the potential breach was discovered, Sweetser secured the account, immediately began an investigation and engaged a digital forensics firm to determine the scope of the incident, it said.

Based on the firm’s findings, it was determined that Sweetser employee email accounts were subject to unauthorized access from roughly June 18 through June 27. On Sept. 10, the investigation revealed that data containing clients’ personal information within one or more email accounts also may have been affected, Sweetser said.

Advertisement

“This personal information may have included names, addresses, dates of birth, telephone numbers, Social Security numbers, health insurance information and identification numbers, driver’s license numbers, Medicare or Medicaid information, payment or claims information, diagnostic codes, and information regarding medical conditions and treatment,” it said.

The incident was limited to information transmitted via email and did not affect any other information systems, the health care provider said.

The notification letters issued Friday include information about the incident and steps potentially impacted clients can take to monitor and help protect their personal information, Sweetser said, adding that it has engaged a call center to establish a toll-free hotline to answer questions about the breach and address related concerns. The hotline can be reached at 1-833-444-4458 from 8 a.m. to 5 p.m. Monday through Friday, it said.

Sweetser said it is offering complimentary identity protection services through Experian to those clients whose Social Security numbers were potentially impacted in connection with the breach. To determine if they qualify for the service, clients must obtain verification through the hotline, it said.

“The privacy and protection of private information is a top priority for Sweetser,” the provider said. “Sweetser deeply regrets any inconvenience or concern this incident may cause.”

Sweetser said it completed a thorough review of the affected accounts to determine whose personal information may have been impacted by the data breach, and to provide notification to those affected. It said there is no evidence that any of the information potentially involved in the incident has been misused, but that it has reported the matter to the FBI and will cooperate as necessary to hold the perpetrators accountable.

Advertisement

VULNERABLE POPULATION

Mehnert, the mental health care advocate, said an estimated one in four Mainers suffers from mental illness. She said there is a real concern that the trauma of knowing their sensitive medical information may have been stolen could exacerbate the mental illness of Sweetser patients.

“A complicating factor in this situation is that trauma and mental illness are linked. This means that people with mental health conditions often also have experienced traumatic events,” Mehnert said. “A history of trauma can mean that a person’s ability to trust others has been compromised. While the information was stolen by hackers, it could feel to peers as if someone intentionally failed to protect them.”

She said her group has a help line at 622-5767 for any Mainers who may feel they have suffered psychologically from learning about the data breach incident.

Sweetser spokeswoman Susan Pierter said the organization has implemented numerous technical security enhancements and administrative safeguards to help prevent another data breach from occurring in the future. She said as soon as Sweetser became aware of the hacking incident, it worked diligently through mid-October to identify up-to-date address information required to notify potentially impacted clients.

Sweetser reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights on Sept. 13. The office, which maintains a public database of cyberattacks against U.S. health care providers, received a total of 36 reports about cybersecurity breaches at U.S. health care providers in September alone.

Advertisement

Another Maine health care provider, Bangor-based Penobscot Community Health Center Inc., reported a similar hacking incident to the Office for Civil Rights on July 12 that compromised up to 13,300 patients, according to the database.

In October 2018, the U.S. Department of Health and Human Services announced that Anthem Inc., Maine’s largest health insurance provider, had agreed to pay the government a record $16 million to settle potential privacy violations in the biggest known health care-related hacking incident in U.S. history.

The personal information of nearly 79 million people – including names, birth dates, Social Security numbers and medical IDs – was exposed in the cyberattack, discovered by the company in 2015. Targets of the cyberattack include the company’s more than 312,000 existing customers and more than 800 employees in Maine.

Chris Claudio, CEO of Portland-based information technology services provider Logically, said although health care organizations are required by law to protect patients’ digital records, the laws aren’t strict enough to prevent data breaches from happening.

In most cases, protecting data from theft requires a strict adherence to best practices such as filtering of malicious web addresses and email messages, data encryption, complex passwords for all workstations and two-factor authentication for all email accounts, he said.

But even with those safeguards in place, the possibility of human error always presents a certain risk, Claudio said. The best thing any organization can hope for is to minimize the damage from a hacking incident when it inevitably happens.

“Almost always, the most unreliable factor in any security breach is the human being,” Claudio said. “And so you can do a lot of different things to prevent things from getting into the organization, but you can’t stop a human from making a mistake if it’s put in front of them and they don’t know what they’re doing.”

Related Headlines

Comments are no longer available on this story