Over 200,000 patients were notified of a recent breach.
What happened
The Facial Pain Center, a healthcare provider offering treatment for temporomandibular joint disorder (“TMD”) and sleep apnea, is based out of Bloomington, Minnesota. The provider has eight locations throughout the St. Paul and Minneapolis areas.
The company recently notified the U.S. Department of Health and Human Services (HHS) Office for Civil Rights of a breach from an unauthorized party.
According to the notice on the organization's website, “The event detailed below was limited to our Microsoft 365 cloud environment and did not involve a compromise of its internal computer network or patient records database.”
The Facial Pain Center reported the breach to the HHS as impacting 1,894, but other reports show that the company has sent out approximately 238,000 notices. As details become more clear, the organization will likely finalize its numbers.
Going deeper
According to their notice, the center became aware of unauthorized activity affecting a “limited number of employee email accounts” on January 23, 2024.
The organization said they immediately secured the email accounts and then enlisted the help of cybersecurity specialists to launch an investigation into the incident.
The investigation determined that employee email accounts were accessed between January 11th and January 23rd, 2024. During this time, the unauthorized actors may have viewed or accessed information or files stored in the email accounts. The investigation was completed on June 10th and notices to impacted patients have since been mailed out.
According to the investigation, impacted information varied by individual but may have included: name, demographic information, medical information, health insurance information, and dates of birth.
What’s next
The Facial Pain Center said they immediately took steps to improve their cybersecurity. The organization mentioned they already use some safeguards, like multifactor authentication, but plan to further enhance their security system.
In response to the breach, the company provided a list of steps impacted patients could take, such as monitoring their credit reports or requesting a credit freeze.
Some law firms are already investigating the incident, which has become a common occurrence after data breaches. If impacted individuals believe the center had negligent cybersecurity practices, they may file a class action lawsuit.
The big picture
Breaches like these are increasingly common and can result in protected health information being sold on the dark web or used for other nefarious purposes. While this breach was relatively small, it’s possible for criminals to use data collected from this breach alongside data from other breaches to create a more complete victim profile. Since combining data makes it more valuable, every breach matters and could potentially lead to identity theft or credit card fraud.
Data breaches, however, are not inevitable. With the right security systems in place, breaches can be prevented or significantly mitigated. While we do not know the full details of the breach, employee email compromises can often be prevented through training and proper email security systems.
Related: HIPAA Compliant Email: The Definitive Guide.
Abby Grifno
