Cyber Incident Victim: Compass Behavioral Health

Compass Behavioral Health, a Kansas-based mental healthcare organization, experienced a data security incident involving unauthorized access to protected health information (PHI). The organization detected suspicious activity within its email environment, prompting it to engage a specialized third-party cybersecurity vendor to conduct a forensic investigation. This investigation revealed that an unauthorized user had gained access to a limited number of files stored in employee OneDrive accounts and one email account. The intrusion potentially exposed sensitive patient data, though the exact timeframe of unauthorized access was not publicly specified in available reports.

On February 14, 2023, forensic experts identified that a specific spreadsheet containing Compass's incident reports had been compromised. This document included records of procedure breaches, injuries, accidents, and unusual events affecting 1,064 patients. Exposed information consisted of names, addresses, dates of birth, dates of death, treatment locations, medical record numbers, details related to medical incidents, limited medical information, and medication data. Investigators confirmed no evidence of Social Security numbers or financial information being accessed. Compass Behavioral Health notified affected individuals and the U.S. Department of Health and Human Services (HHS) about the breach. The organization advised patients to monitor their accounts for suspicious activity but did not report any confirmed misuse of the compromised data at the time of disclosure.