Ballad Health Provides Notice of Data Privacy Incident
One of the highest priorities of Ballad Health is the protection of each patient’s privacy. Ballad Health’s policies and procedures are designed to ensure access to each patient’s personal information is protected and only made available to individuals for appropriate purposes. Additionally, Ballad Health has deployed industry leading practices and technology to protect patient information from cyber threats. Ballad Health is providing notice of a recent incident that may impact the privacy of some personal and/or medical information. Ballad Health is unaware of any misuse of individual information and is providing this notice out of an abundance of caution.
On or about January 13, 2022, Ballad Health became aware of unusual activity related to an employee’s email account. Ballad Health immediately began an investigation to help better understand the nature and scope of this activity, and on February 17, 2022, it was determined that the employee’s Ballad Health email account was accessed without authorization for a limited amount of time. It was not possible to determine exactly which email messages or attachments may have been accessed or viewed without authorization. In an abundance of caution, a detailed and thorough programmatic and manual review of the contents of the email account was performed to determine whether sensitive information was contained in any of the email messages or attachments within this employee’s Ballad Health account. Upon receiving the results of the detailed review of the email contents on March 16, 2022, Ballad Health worked diligently to locate address information for the affected individuals and just recently completed that effort.
The types of personal information that may have been accessible to the unauthorized actor include: name, address, date of birth, medical history, medical condition or treatment information, medical record number, diagnosis code, and patient account number.
Ballad Health takes this incident and the security of personal information in its care seriously. Upon learning of the suspicious activity through Ballad Health’s surveillance activity, Ballad Health’s team immediately took steps to investigate the scope of the event. Security measures have been taken to secure the employee’s email account, including issuing a new password, and Ballad Health continues to educate the workforce on the importance of security measures each person must take to protect access to the Ballad Health email system.
In addition, Ballad Health is notifying relevant state and federal regulators to ensure awareness of the incident.
Although no social security numbers were included in the information that may have been accessed, Ballad Health encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud by reviewing your account statements and explanations of benefits. Any suspicious activity should be reported to the appropriate insurance company, health care provider, or financial institution.
Individuals seeking additional information regarding this incident can call Ballad Health’s dedicated, toll-free number at 855-482-1570, Monday through Friday 8:00 a.m. to 5:30 p.m. Central Time (excluding some U.S. Holidays). Individuals may also write to Ballad Health’s Privacy Officer at 1019 W. Oakland Avenue, Suite 4, Johnson City, Tennessee 37604.
Ballad Health is committed to safeguarding personal information and will continue its ongoing efforts to enhance the protections in place to secure the information in its care.