Personal, health and financial information of more than 20,000 clients of a Maine mental health agency was compromised following a June email hacking incident, the agency said Friday.
Sweetser, a nonprofit organization with operations throughout much of the state, said that an employee’s email account had been hacked in June, leading to the data security breach.
The information contained in the hacked email account may have included clients’ names, addresses, dates of birth, telephone numbers, Social Security numbers, health insurance information and identification numbers, driver’s license numbers, Medicare or Medicaid information, payment or claims information, diagnostic codes, and information regarding medical conditions and treatment, according to the agency.
Sweetser notified the affected people Friday, four months after the unusual email activity was detected.
A digital forensics team the mental health services provider hired found that, for a 10-day period from June 18 to 27, Sweetser employee email accounts were subject to unauthorized third-party access.
On Sept. 10, the investigation revealed that multiple employee email accounts might have been hacked for information.
The nonprofit said it has no evidence that the information has been misused.
The letters informing current and former clients of the security breach include information about this incident and list steps clients can take to monitor and help protect their personal information.
The Office of Civil Rights under the U.S Department of Health and Human Services is investigating the case. It is one of two open cases involving security breaches at Maine health care providers. The other case — involving a hacking incident at a collection agency that could have exposed personal and financial information of some Penobscot Community Health Care patients — was reported in July.
Sweetser has set up a toll-free call center at 833-444-4458 to answer questions about the data breach and address related concerns.