Getty Images

West Virginia Center’s Health Data Breach Includes Patients’ PHI

A cyberattack at the Prestera Center impacted patients' PHI.

Prestera Center is notifying patients of a recent data breach that includes protected health information. 

The breach includes unauthorized access to employee email accounts and contained some Protected Health Information (PHI,) according to the privacy breach notification the West Virginia-based behavioral health services provider published.  

“At this time, there is no indication that anyone’s information has been subject to actual or attempted misuse in relation to this incident,” the notice, published on its website on July 20, reads.  

“Nevertheless, we are writing to you because information relating to individuals, including names, addresses, dates of birth, state identification card numbers, Social Security numbers, financial account information, medical information, or health insurance information, was contained within at least one of the impacted email accounts,” it states. “Please note that the information varies by individual and for many individuals, a limited number of data types were determined to be accessible.” 

Prestera, which has 55 locations throughout West Virginia, said the breach occurred in 2020.  

“On or about April 1, 2021, Prestera Center discovered that information related to certain individuals was potentially accessible to an unknown actor in or about August and September 2020,” the notice states. “This incident involved unauthorized access to certain email accounts used by Prestera Center employees.” 

“While our investigation was able to confirm access to certain employees’ email accounts, the investigation was unable to rule out access to any emails or attachments contained within those email accounts,” the statement notes. “Therefore, out of an abundance of caution, a review of the entire contents of the impacted email accounts was conducted to identify emails or attachments containing personal information.”  

The center said it is currently working to address information security.  

“As part of our ongoing commitment to the security of personal information in our care, we are working to review our existing policies and procedures and to implement additional safeguards to enhance the security of our email accounts,” the statement notes. “In addition to notifying individuals, we will also be notifying state and federal regulators, as required.” 

In December 2020, the center notified patients of a data security incident involving Prestera’s business email environment.  

The center said a small percentage of patients’ PHI was impacted by the breach.  

“After a thorough review, and with the assistance of a third-party vendor, we discovered that the affected information included patient names, dates of birth, medical record and/or patient account numbers, diagnostic information, healthcare provider information, prescription and/or treatment information and, in some instances, addresses, social security numbers and Medicare/Medicaid ID numbers,” CEO Karen Yost said in a December 31, 2020 statement. “The exact elements of personal information that were affected as a result of this incident varied per individual. Once again, Prestera Center has no evidence of attempted or actual misuse of anyone’s information because of this incident.” 

For patients impacted by the recent security breach, Prestera is offering a credit monitoring service for one year.  

Those in need of additional information can contact the assistance line at 855-535-1856, Monday through Friday, from 9 am to 9 pm EST, excluding US holidays. 

Next Steps

Dig Deeper on Cybersecurity strategies