Schewitz Psychological Services Data Breach Exposes 3,700 Patients

A significant healthcare data breach has struck Maine-based Schewitz Psychological Services, operating under the name Couples Learn, exposing the protected health information (PHI) of 3,700 patients. The breach, reported to the U.S. Department of Health and Human Services on May 3, 2025, represents another stark reminder of the cybersecurity vulnerabilities facing mental health providers.

What Happened

Schewitz Psychological Services Inc., doing business as Couples Learn, experienced a hacking incident that compromised their network server. The breach was classified as a "Hacking/IT Incident" by HHS, with the primary location of the security compromise occurring on the organization's network server infrastructure.

While specific details about the nature of the cyberattack remain limited in public reporting, the incident has prompted the involvement of legal firms specializing in data breach litigation. Finkelstein, Blankinship, Frei-Pearson & Garber, LLP has announced they are investigating the breach and have successfully recovered millions of dollars for data breach victims in previous cases.

The law firm is actively reaching out to affected individuals who received breach notification letters, offering legal consultation services at (914) 298-3283 or via email at cis@fbfglaw.com.

Who Is Affected

The breach impacts approximately 3,700 individuals who were patients or clients of Schewitz Psychological Services/Couples Learn. Given the nature of the practice, which appears to focus on couples therapy and psychological services, the exposed information likely includes highly sensitive mental health records, treatment notes, and personal information.

Patients who received services from this Maine-based healthcare provider should have received formal breach notification letters detailing the incident and steps they can take to protect themselves. The organization submitted a breach notification sample titled "Couples Learn HIPAA Breach Notification.pdf" as part of their HHS reporting requirements.

Breach Details

According to the HHS Office for Civil Rights (OCR) breach report database, also known as the "Wall of Shame," the incident details include:

• Entity Type: Healthcare Provider
• Breach Classification: Hacking/IT Incident
• Affected Systems: Network Server
• Patient Impact: 3,700 individuals
• Geographic Scope: Maine-based practice
• Reporting Date: May 3, 2025

The breach represents a significant percentage of what is likely the practice's total patient base, suggesting the cyberattack may have compromised their primary patient database or electronic health record (EHR) system.

What This Means for Patients

For the 3,700 affected individuals, this breach poses several serious concerns:

Privacy Implications

Mental health records contain some of the most sensitive personal information, including:

• Therapy session notes
• Psychiatric diagnoses
• Treatment plans and medications
• Personal relationship details
• Family history and trauma information

Financial Risks

Exposed personal information could potentially be used for:

• Identity theft
• Insurance fraud
• Medical identity theft
• Financial account compromise

Emotional Impact

Beyond financial concerns, patients may experience anxiety about the privacy of their most personal therapeutic discussions and mental health treatment details.

How to Protect Yourself

If you are a patient of Schewitz Psychological Services or Couples Learn, take these immediate steps:

Monitor Your Accounts

• Review credit reports from all three major bureaus
• Monitor bank and credit card statements for unauthorized activity
• Watch for unexpected medical bills or insurance claims

Strengthen Security

• Change passwords for healthcare portals and related accounts
• Enable two-factor authentication where possible
• Consider credit monitoring services
• Place fraud alerts on your credit files

Stay Informed

• Carefully review any breach notification letters received
• Keep documentation of all breach-related communications
• Contact the practice directly with questions about the incident

Legal Options

• Consider consulting with legal professionals if you experience damages
• Document any costs or impacts related to the breach
• Understand your rights under state and federal privacy laws

Prevention Lessons for Healthcare Providers

This breach highlights critical cybersecurity challenges facing mental health practices:

Network Security Fundamentals

• Implement robust network monitoring and intrusion detection systems
• Regularly update and patch all server software and operating systems
• Deploy advanced endpoint protection across all devices
• Conduct regular vulnerability assessments and penetration testing

Access Controls

• Enforce strict user authentication and authorization protocols
• Implement role-based access controls to limit data exposure
• Regular audit user access permissions and remove unnecessary privileges
• Deploy multi-factor authentication for all system access

Staff Training

• Provide comprehensive cybersecurity awareness training
• Conduct regular phishing simulation exercises
• Ensure staff understand HIPAA compliance requirements
• Create clear incident response procedures

Data Protection

• Encrypt sensitive data both at rest and in transit
• Implement secure backup and recovery procedures
• Minimize data collection and retention to necessary information only
• Regular review and update privacy policies and procedures

Business Associate Management

• Carefully vet all third-party vendors handling PHI
• Ensure comprehensive Business Associate Agreements are in place
• Regular audit vendor security practices and compliance
• Maintain an inventory of all systems and vendors with PHI access

The Schewitz Psychological Services breach serves as a reminder that healthcare providers of all sizes remain attractive targets for cybercriminals. Mental health practices, in particular, must recognize the heightened sensitivity of the information they protect and implement correspondingly robust security measures.

As healthcare continues to digitize and cyber threats evolve, organizations must prioritize cybersecurity investments and maintain vigilant security practices to protect patient trust and comply with HIPAA requirements.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.