Features Navigation

Live Chat (800) 825-0224 Live Demo

← Back

Prestera Health exposes 3,700+ patients’ info in email breach

Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.

Prestera Health, the largest behavioral health services provider in West Virginia, serving the counties of Boone, Cabell, Clay, Kanawha, Lincoln, Logan, Mason, Putnam and Wayne in West Virginia experienced a data breach through their email system.

The statement from their website reads: “December 31, 2020 – We have become aware of a data security incident that may have resulted in unauthorized access to the private information of a small percentage of our patients.” This small percentage of their patients is estimated at 3700 individuals. The information that was exposed “included patient names, dates of birth, medical record and/or patient account numbers, diagnostic information, healthcare provider information, prescription and/or treatment information and, in some instances, addresses, social security numbers and Medicare/Medicaid ID numbers.”

One of the important aspects of this breach is the nature of the facility that was breached. In this case, anybody who obtains access to this data will know that the patients on the list were treated for a behavioral health problem or a substance abuse problem. Think of the potential reputational damage that could be experienced by these individuals.

As a result of this breach Prestera Health must now complete their Breach Notification process. This includes sending every patient involved a letter detailing the incident, the steps that Prestera is taking to help mitigate the damage caused by the incident as well as information on the steps the patients can take to protect their own personal information. In addition, Prestera is required by the HIPAA regulations to publicly post the details of the event (which can be found at the Prestera website) so that individuals who do not receive the mail will be aware of the event. Prestera has also set up complimentary identity theft restoration and credit monitoring services.

The breach was related to the Prestera email services. This points to a number of issues that need to be considered by your practice:

How secure is your email system?

What information is currently being stored in your history of sent and received emails?

Medical practices often get requests from patients to send out information via email. When a patient provides with written permission to send their information via email, then the medical practice is allowed to send protected health information via unencrypted email. When you receive a request of this nature, you should always have a signed consent that the patient understands that email is not secure and that they give you permission to send their PHI via email. But what should you do after that email is sent? The best steps to take are:

  • Document what information was sent to the patient, and on what date and what email it was sent to.
  • Make sure your documentation includes the release form signed by the patient.
  • Once the email has been sent DELETE it from your system. If it is deleted, then it should not be available to an unauthorized individual.

What about when you receive an email from a patient with protected health information? Patients can send their health information via unencrypted without fear of penalty. This is because patients are not required to follow the HIPAA Security Rule. Once you receive the email, it is important that you transfer the information to their medical record and then delete the email. Once again minimizing the chance that an unauthorized person will access the email system and view health information.

Now is a good time to review the emails that are in your inbox and those that are in your sent folder. Make sure that all vital patient information is recorded in the patients charts and that you then delete the emails with patient information.

The next step to take is to communicate with your email provider and find out if they keep backups of the email system? How often are the backup files purged? How long to they keep emails that have been ‘deleted’ on their servers? If you run your own email servers, you want to ask these questions of your IT department.

Please make sure that prior to deleting this data that it is saved securely in their medical record, as the information may be important in future care decisions or it may be necessary in the case of an audit or a malpractice action. You need to assume that patients will keep a copy of any emails they send you and it is important that you have copies of these correspondences also.

It is important that we are aware of what has gone wrong for other organizations and to take steps to minimize the possibility of similar events happening at our practices. Prestera is about to begin a very painful journey of remediating this breach, enduring an investigation from the Office for Civil Rights and implementing an action plan to ensure this does not happen again. They will also end up on the HIPAA wall of shame for this event. You are encouraged to take any and all appropriate steps to help ensure that a breach of this nature does not happen at your organization.

TLD Systems is available to help you develop policies and procedures to improve your HIPAA Security and we are happy to work with your Technology Vendors to identify methods of better securing your data systems. For more information, visit TLD Systems or call (631) 403-6687.

Michael Brody, DPM
Dr Brody has been actively involved in Computers and Medicine since the 1980’s. Dr Brody as a Residency Director at a VA hospital on Long Island and was present as the VA moved from paper records to computerized records. During this time, he was exposed to the stringent rules and regulations that government employees need to adhere to when protecting patient information. He co-founded TLD Systems with Warren Melnick to create a platform that doctors who wish to work in private practice have a cost-effective method of implementing HIPAA compliance in their practices in a manner that does not interfere with their ability to practice medicine. He has served on the Health Information Technology Standards Panel (HITSP), the Standards and Interoperability Framework (S&I), as a member of the Ambulatory Care Committee at the Certification Commission on Health Information Technology (CCHIT), and numerous other organizations. He is currently a member of the Physicians Committee at the Healthcare Information and Management Systems Society (HIMSS) and a co-Chair of the EHR workgroup at Health Level Seven International (HL7)


Other Resources Related to This Topic

No results found

“The money I have invested in AdvancedMD is miniscule compared to the return. I have never been more efficient – ever – in my professional life as I am now.”

Jed Shay, MD
The Pain Care Center

Read the story  ›

“[Our] patients are very well-educated and well-informed, and they want to see results quickly. The practice has to run extremely efficiently and be accessible to them. The nice thing about [AdvancedMD] is it has allowed me to be more efficient both in and out of the office. Now I don’t have to come back into the office, which is great for my family and everything else. It saves me a lot of time – probably an hour a day on the three days I work in the second office.”

Keith Berkowitz, MD
Center for Balanced Health

Read the story  ›

“The best thing I ever did in private practice was getting AdvancedMD—it has liberated me.”

Estaban Lavato, MD
La Loma Medical Center

“Having integrated practice management and EHR is absolutely wonderful, you don’t have to flip back and forth between systems—all of your information is at hand when needed.”

Raju Raval, MD

Read the story  ›