The Guidance Center Discovers Unauthorized Email Account Access and File Deletion

The Guidance Center (TGC) in Avalon in California and Long Beach, Compton, San Pedro, a not-for-profit mental health care services provider to deprived kids and their families, had spotted a security breach in its digital system.

TGC’s counsel explained in a breach notification letter sent to California Attorney General Xavier Becerra that there was strange activity noticed in TGC’s digital environment at the end of March 2019. Employees submitted reports that data files and backups seemed to be missing. TGC launched an internal investigation and learned that the files were deleted. The deeper investigation likewise revealed that a TGC computer was reconfigured enabling its remote access.

TGC is convinced that the alteration to the computer configuration and the deletion of the files were most likely done by an ex-employee. TGC reported the issue to the Long Beach Police Department and the FBI. TGC’s attorney sent a cease and desist letter to the person alleged to be the culprit of unlawful access on March 30, 2019. After the letter was sent, no further unauthorized access was detected.

On April 19, 2019, TGC hired a forensics firm to find out if the unauthorized person accessed any patient information. There was no evidence of unauthorized PHI access or data exfiltration was discovered. However, the remote access of some employee email accounts was detected.

As per the substitute breach notice on the TGC site, TGC discovered on September 19, 2019 that the email accounts contained some sensitive data. It took a while to establish which clients were impacted and to locate the updated contact details of those people. TGC sent breach notification letters on October 25, 2019.

Altogether, the protected health information (PHI) of 1,235 present and past clients was specified in the email accounts and may consequently have been accessed, though there is no evidence found that suggest unauthorized PHI access.

The data in the accounts only included names, addresses, birth dates, health insurance/claims details, medical data and the Social Security numbers for some patients.

All people whose Social Security number was compromised received offers of one-year free credit monitoring services. More security controls were currently implemented to avoid similar incidents from happening again. The deleted files were recovered. TGC did not mention any reason for the access of the email accounts and the deletion of files and backups.

About Christine Garcia 1192 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA