NASHVILLE, TN (WSMV) - A not-for-profit health system in Tennessee is notifying current and former patients and employees that their personal and protected health information could have been accessed without their authorization during a data breach.
The investigation into the "IT security incident" started after an employee for Centerstone of Tennessee, Inc. noticed "unusual activity" involving their email account.
Centerstone said an independent computer forensics firm found certain current and former Centerstone patients and employees' personal information was "accessed or acquired without authorization."
This incident happened between December 12 and December 16, 2019.
The following information may have been involved in the incident:
- date of birth
- Social Security number
- driver's license or state identification card number
- medical diagnosis or treatment information
- Medicaid and/or Medicare information
- health insurance information
At this time, Centerstone said there "is no evidence of the misuse of any information potentially involved in this incident."
“Centerstone takes the security of patient and employee information very seriously and is taking steps to prevent a similar event from occurring in the future,” David C. Guth, Jr, chief executive officer at Centerstone, said in a statement on Friday.
Centerstone said their representatives started notifying "potentially impacted individuals" on Thursday.
"We are immediately investing more than $800,000 dollars to upgrade IT security infrastructure, including new software applications and security appliances,” Guth said.
Centerstone setup a toll-free call center to answer questions from those involved in the incident. The center is taking calls Monday through Friday from 8 a.m. to 8 p.m. at (833) 752-0854.
"We're also working with independent advisors to conduct a security audit and gap assessment to determine if there are other areas where we have an opportunity to make further security improvements. Further, we are evaluating internal policies and procedures and conducting additional staff training around IT security,” Guth said.
Centerstone is offering "potentially impacted individuals" complimentary credit monitoring and identity theft restoration services.
"Centerstone recommends that individuals enroll in the services provided and follow the recommendations contained within the notification letter to ensure their information is protected," the company said in a statement on Friday.
Centerstone provides mental health and substance use disorder treatments.