HIPAA Breach Discovered At The Philadelphia DBHIDS

Published on June 15, 2020

Updated August 14, 2020

View official DBHIDS update here.

The Department of Behavioral Health and Intellectual disAbility Services (“DBHIDS”) is posting this notice to alert individuals that their personal health information may have been compromised as a result of a cybersecurity attack. This incident may impact individuals served by DBHIDS or its business associate, Community Behavioral Health (“CBH”), which assists DBHIDS in administering the behavioral health Medicaid program (HealthChoices) for the Philadelphia region.

On March 31, 2020, DBHIDS learned that an employee’s email account had been compromised as a result of a phishing attack. The Office of Innovation and Technology’s Information Security Group (“OIT”) immediately secured the account and began an investigation. During April and May 2020, OIT discovered multiple additional DBHIDS and CBH accounts that were compromised as part of the attack. The password for each account was changed promptly upon discovery. OIT’s investigation is ongoing and additional DBHIDS and CBH accounts are being reviewed to determine whether they were also compromised. As of the date of this posting, the City’s investigation efforts have confirmed that additional DBHIDS and CBH accounts were subject to unauthorized access intermittently between March 31, 2020 and July 31, 2020. These attacks are believed to be connected to a series of malicious attacks targeting health care and social services agencies during the COVID-19 global pandemic.

If you receive services or support through DBHIDS and have questions or concerns, you can call 1-888-858-1748 for more information. CBH members can call 1-888-545-2600 for more information.