Centerstone notifies patients and employees of IT security incident

Centerstone of Tennessee, Inc. (“Centerstone”) announced today that it recently learned of unauthorized access to personal and protected health information belonging to certain current and former Centerstone patients and employees. Centerstone has sent notification of this incident to potentially impacted individuals and is providing resources to assist them.

After learning of unusual activity involving an employee’s email account, Centerstone immediately launched an investigation. In the course of this investigation, Centerstone engaged an independent computer forensics firm to determine what happened and whether personal information had been accessed or acquired without authorization. The forensic investigation concluded that certain employee email accounts were accessed without authorization between December 12 and December 16, 2019. On August 25, 2020, the investigation further identified that personal and protected health information was contained within the affected email accounts. Upon discovering that the incident impacted individual information, Centerstone immediately initiated a diligent search to identify current contact information so that it could notify potentially impacted individuals. 

Currently, there is no evidence of the misuse of any information potentially involved in this incident, and Centerstone began providing notice of this incident to the potentially impacted individuals on October 22, 2020. In doing so, Centerstone provided information about the incident and about steps that potentially impacted individuals can take to protect their personal information. In addition, Centerstone is providing potentially impacted individuals access to complimentary credit monitoring and identity theft restoration services. Centerstone recommends that individuals enroll in the services provided and follow the recommendations contained within the notification letter to ensure their information is protected.

“Centerstone takes the security of patient and employee information very seriously and is taking steps to prevent a similar event from occurring in the future,” said David C. Guth, Jr, chief executive officer at Centerstone. “We are immediately investing more than $800,000 dollars to upgrade IT security infrastructure, including new software applications and security appliances. We're also working with independent advisors to conduct a security audit and gap assessment to determine if there are other areas where we have an opportunity to make further security improvements. Further, we are evaluating internal policies and procedures and conducting additional staff training around IT security,” Guth added. 

The following personal and protected health information may have been involved in the incident: name, date of birth, Social Security number, driver's license or state identification card number, medical diagnosis or treatment information, Medicaid and/or Medicare information, and/or health insurance information. 

Centerstone has established a toll-free call center to answer questions about the incident and to address related concerns. Call center representatives are available Monday through Friday from 8:00 am — 8:00 pm Central Time and can be reached at (833) 752-0854.

About Centerstone

Centerstone is a not-for-profit health system providing mental health and substance use disorder treatments. Services are available nationally through the operation of outpatient clinics, residential programs, the use of telehealth and an inpatient hospital. Centerstone also features specialized programs for the military community, therapeutic foster care, children’s services and employee assistance programs. Centerstone’s Research Institute provides guidance through research and technology, leveraging the best practices for use in all our communities. Centerstone’s Foundation secures philanthropic resources to support the work and mission of delivering care that changes people’s lives.

Recommended for you