Unauthorized Employee Email Access Led to Mental Health Center Breach
Who: The Kentucky Counseling Center
# of Records: 16,400
When it occurred: December 6, 2018
What Happened: A staff member took the list without authorization from our computer system and used an anonymous Internet file sharing service to email the list
How it Happened: A current employee is suspected of accessing and copying patient information without authorization, uploading the data to an anonymous file sharing service, and subsequently sending a hyperlink to the list to a former employee of KCC who received the link to the patient list on January 6, 2019 and reported the privacy breach to KCC. KCC launched an investigation into the insider breach to determine when the list was obtained and who was responsible. KCC believes the list was downloaded and stolen on December 6, 2018, by a then-current employee of KCC. That person is no longer employed at the Counseling Center. KCC is one of the state’s largest behavioral health providers, offers counseling, psychiatry, suicide prevention and case management for children and adults. Besides administrative offices on Poplar Level Road in Louisville, it has locations in Frankfort, Lexington, Richmond, Covington, and London. The released information may have included names, addresses, dates of birth, email addresses, phone numbers, Social Security numbers, marital and employment status, insurance payer and insurance number. The list did not include any clinical information other than appointment dates and in some cases the name treating KCC clinician treating the patient.
Outcome: The counseling center also indicated that it’s terminated an employee connected to the leak and notified the Federal Department of Health and Human Services of the breach. The company reported that it has alerted affected patients and is offering a year of free credit monitoring to each client. The center also said in a statement on its website that it’s set up a toll-free number for patients who have questions about the breach. The counseling center said that it had taken steps to prevent future breaches, including strengthening password requirements and implementing multi-factor authentication for computer system access.