The digital mental health solutions company Aptihealth based in Saratoga Springs, NY has reported the exposure or theft of the protected health information (PHI) of 19,805 patients. It uses its digital platform to provide mental health care to patients while collaborating with healthcare stakeholders. By using technology, Aptihealth provides prompt and effective mental health care.
The breach happened at Sisense, a third-party vendor that offers data analytics services. Sisense is provided access to Aptihealth patient records, including patients’ PHI to perform its services. As Aptihealth’s business associate, as per the Health Insurance Portability and Accountability Act (HIPAA), Sisense needs to protect PHI’s integrity, confidentiality, and security. It must have proper data privacy measures, report breaches, and sign a business associate agreement (BAA) that mentions responsibilities to protect patient data from unauthorized access or disclosure.
On April 17, 2024, Sisense informed Aptihealth and other customers about unauthorized access to its server by an individual from March 13, 2024 to April 10, 2024. The server included names, birth dates, addresses, dates of service, physicians’ names, health treatment and diagnosis data, names of medical insurance companies, and medical insurance ID numbers. Aptihealth reviewed the potentially breached data to know the extent of the data breach and impacted individuals. It is not clear whether Aptihealth is providing free credit monitoring and/or identity theft protection services to impacted patients after all this.
Aptihealth mentioned Sisense’s confirmation about the security of its systems after the breach and the unauthorized individual is blocked from accessing its server. Sisense is issuing personal notifications to the impacted persons and Aptihealth has set up a call center that patients can contact for more information. The helpline 855-568-3080 is available Monday to Friday from 9:00 a.m. to 9.00 p.m. ET.
Photo credits: Pakin, AdobeStock.com