Data Breach Notification,
Data Privacy,
Data Security
Oglethorpe Notifying 92,000 Patients of June Data Breach Involving Mental Health and Addiction Information
A Florida-based healthcare provider operating in-patient mental health and addiction treatment facilities across three states is reaching out to over 92,000 patients regarding a data breach identified in June. The incident may have compromised sensitive personal health information.
Oglethorpe Inc. recently reported this data security incident to the Maine attorney general and describes itself on its website as a provider of management solutions for health facilities specializing in psychiatric services, drug and alcohol detox, eating disorder therapy, and behavioral health counseling.
The firm, which maintains facilities in Florida, Ohio, and Louisiana—including Heroes’ Mile, a Deland, Florida facility dedicated to veteran mental health care—discovered the breach when unauthorized access to its IT network occurred around June 6. In response to the security incident, Oglethorpe quickly engaged forensic specialists to secure its network and assess the scope of unauthorized activities.
The investigation revealed that the unauthorized parties accessed personal information, potentially including names, dates of birth, driver’s license numbers, Social Security numbers, and medical records. Oglethorpe stated that while no evidence suggested misuse of this information has been observed, the company is offering affected patients 12 months of free credit monitoring to mitigate potential risks.
Oglethorpe has reported the incident to the FBI and is cooperating with ongoing investigations. As part of its response, the company has wiped and rebuilt affected systems while implementing additional security measures. Current efforts include revising policies, procedures, and security software related to data management.
Risks Associated with Sensitive Health Data
Oglethorpe is among multiple mental health providers facing similar data breaches, as evidenced by reports in the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool, which highlights numerous breaches in recent years involving behavioral health organizations.
This trend reflects a growing vulnerability, especially following an incident reported by Arisa Health in July 2023, which compromised 375,000 individuals’ data. Historical breaches have led to regulatory actions, such as a $225,000 fine against Deer Oaks for lack of risk analysis after two separate incidents.
Experts, including Clearwater’s Dave Bailey, emphasize the heightened sensitivity surrounding behavioral health data. The implications of exposure extend beyond financial risks, as such information can carry significant social stigma and emotional harm. Furthermore, these breaches undermine trust, particularly in environments where patients are most vulnerable.
As investigations typically examine an organization’s understanding and mitigation of risks associated with sensitive data, it is critical for healthcare providers to surpass mere “checkbox compliance.” A thorough risk assessment should identify where the most sensitive data resides, how it may be accessed, and the security measures in place to safeguard it. Maintaining transparency with patients regarding data security issues is paramount to rebuilding trust following a breach.
