BRYAN, Texas (KBTX) - A Brazos Valley nonprofit organization based in Bryan is currently conducting an investigation following the discovery of a potential data breach that may have compromised the personal and protected health information of both employees and patients.

The security incident occurred at the MHMR Authority of the Brazos Valley, an organization serving thousands of individuals in a seven-county area, providing support for those with mental health needs or intellectual and developmental disabilities.

MHMR has locations in Bryan, Caldwell, Navasota, Centerville, Madisonville, Hearne, and Brenham.

Data breaches like the one seen at MHMR have been on the rise across the county and have become increasingly costly.

According to a study by the Ponemon Institute, which focuses on information security and privacy issues, 53% of companies experienced a third-party data breach in the past year.

Cybersecurity Ventures, a research company specializing in cyber economic market data, predicts that global cybercrime costs will grow by 15% annually over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.

Last November, MHMR discovered an incident that affected access to certain computer systems. In late December, KBTX became aware of the data breach and began inquiring about the incident on December 21, but MHMR declined to comment at that time.

After conducting a review more than six months later, KBTX discovered that the personal and protected information of certain MHMR employees and current and former patients might have been compromised. The exact number of affected individuals remains unknown, but officials said in a press release that the breach targeted personal information, including Social Security and driver’s license numbers, bank account details, logins, medical records, and health insurance information.

“On November 5, 2022, MHMR experienced a security incident disrupting access to certain computer systems. In response, MHMR took immediate steps to secure its systems and promptly launched an investigation. In so doing, MHMR engaged independent digital forensics and incident response experts to determine what happened and to identify any information that may have been accessed or acquired without authorization as a result, including the engagement of an independent team to perform a comprehensive review of all data that may have been affected by the incident. On or about May 30, 2023, this review identified that the personal and/or protected health information related to certain employees and current and former patients may have been involved. MHMR then exhausted its resources to diligently obtain and compile missing address information, where available, to effectuate notification to those potentially affected, which was completed on July 17, 2023.”

Surprisingly, despite the prevalence of data breaches, a study by Varonis found that 64% of Americans have never checked to see if they were affected by one, and 56% of Americans are unsure about the necessary steps to take in the event of a data breach.

In response to such incidents, earlier this year, Governor Abbott signed Senate Bill 768, a law amending the state’s data breach notification statutes. The amendments mandate notifying the Attorney General within 30 days of confirming the impact on at least 250 Texas residents and submitting notifications electronically through a provided form on the Attorney General’s website. These amendments will take effect on September 1.

Earlier this year, Governor Abbott signed a law amending the state's data breach notification statutes, mandating the notification of the Attorney General within 30 days of confirming its impact on at least 250 Texas residents and submitting notifications electronically through a provided form on the Attorney General's website. These amendments are set to take effect on September 1. Presently, MHMR does not appear on the Attorney General's data breach list but could indicate that the list may not have been updated.

In MHMR’s press release, they say they have no knowledge that personal information was used to commit identity theft or for other illicit financial gain.

“Please know that at this time, MHMR has no knowledge that personal information was used to commit identity theft or for other illicit financial gain. However, on July 28, 2023, notice of this incident was provided to potentially impacted individuals with available address information. The notice that was provided included information about the incident and about steps that potentially impacted individuals can take to help protect their information.”

KBTX reached out to MHMR for comment, but they stated that they have no further information to provide at this time.

A copy of the full press release can be viewed below.

"BRYAN, Texas, July 28, 2023 /PRNewswire/ -- MHMR Authority of Brazos Valley ("MHMR"), a non-profit community health center, has learned of a data security incident that may have involved the personal and protected health information of certain employees and patients that received services from MHMR. This notification provides information about the incident and resources available to assist potentially impacted individuals. The following personal and protected health information varied between individuals but may have been involved in the incident: name, Social Security number, driver's license number, financial account information, username and access information, medical record number, Medicaid or Medicare number, medical treatment and/or diagnosis information, and/or health insurance information. The security of information is a top priority at MHMR and protecting employee and patient information at all costs is a critical operational piece to MHMR's role as a care provider. MHMR has implemented additional measures to enhance the security of its digital environment in an effort to minimize the likelihood of a similar event from occurring in the future. MHMR has also established a toll-free call center to answer questions about the incident. Call center representatives are available Monday through Friday from 8:00 AM – 8:00 PM Central Time and can be reached at 1-888-220-4956."

