1,235 Clients of The Guidance Center Impacted By Unauthorized Email Account Access and Data Deletion

The not-for-profit mental health care services provider to deprived kids and their families known as The Guidance Center (TGC) located in Long Beach, Compton, San Pedro and Avalon in California had a security breach of its digital system.

TGC’s lawyer revealed in a breach notice provided to California Attorney General Xavier Becerra that strange activity was found in TGC’s digital system towards the end of March 2019. In the reports submitted by employees, it was noted that the data files and backups appeared to be gone. TGC started an internal investigation and learned about the deletion of the files. Deeper scrutiny similarly unveiled the reconfiguration of a TGC computer allowing its remote access.

TGC is certain that the change to the computer settings and the removal of files were probably carried out by an ex-employee. TGC sent the breach report to the Long Beach Police Department as well as the FBI. TGC’s lawyer provided a cease and desist letter to the individual believed to be the perpetrator of the unlawful access that occurred on March 30, 2019. After sending the letter, there was no other unauthorized access detected.

On April 19, 2019, TGC engaged a forensics company to know if there was patient data access by the unauthorized individual. It was found out that there was no proof of unauthorized PHI access or exfiltration of data. Nonetheless, there was remote access to the email accounts of some employees detected.

The substitute breach notice posted on the TGC website stated the confirmation of sensitive data contained in the email accounts by TGC on September 19, 2019. It took TGC a long time to determine which clients were affected, get their up-to-date contact details and then send breach notifications on October 25, 2019.

The email accounts were found to contain the protected health information (PHI) of 1,235 current and previous clients. Consequently, there may have been unauthorized access of their information, though there is no proof identified.

The PHI of patients contained in the accounts included their names, birth dates, addresses, medical insurance/claims information, medical information and some patients’ Social Security numbers.

TGC offered all people who had their Social Security numbers compromised free credit monitoring services for one year. To avoid the occurrence of this issue in the future, TGC implemented additional security controls. Though the deleted files were retrieved, it’s not known why the email accounts were accessed and why the files and backups were deleted.