Cyber attack on Horizon Behavioural Health exposes personal information of nearly 50,000 patients

American healthcare provider Horizon Behavioural Health said that a security incident it suffered earlier this year compromised the sensitive personal information of almost 50,000 individuals.

 

Based in Lynchburg, Virginia, Horizon Behavioural Health is a multi-county provider of behavioural health, intellectual disability and substance abuse disorder treatment services.

 

In a data security incident notice published on its website, HBH said that on March 16, it identified issues within its computer network. The healthcare provider’s immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

The investigation determined that HBH suffered a significant ransomware attack where threat actors infiltrated its internal network, accessed confidential files and encrypted critical systems with malware.

 

“Based on their investigation, it appears the incident began on or around March 13, 2025. Between March 13, 2025, and March 16, 2025, information from Horizon’s systems may have been inappropriately accessed and/or obtained by an unauthorised user,” HBH said. 

 

The compromised data included names, Social Security numbers, addresses, ZIP codes, driver’s license numbers, dates of birth, clinical information including diagnosis/conditions, medications, and information related to insurance or claims information.

 

In a filing with the U.S. Department of Health and Human Services Office for Civil Rights, HBH said that it has identified at least 49,822 individuals impacted by the incident.

 

“We have notified state and federal law enforcement, including the FBI’s Cyber Crimes Division, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Cyber Fusion Center of the Virginia State Police. Horizon is supporting all law enforcement investigations into this matter.

 

“We take our obligation to safeguard personal information very seriously and are continuing to evaluate additional actions to strengthen our network security in the face of an ever-evolving cyber threat landscape,” the healthcare provider added.

 

HBH has urged all affected individuals to remain vigilant and monitor their credit reports and financial statements for any suspicious activities and to report suspicious activities to relevant law enforcement authorities and their banks. 

 

At the time of publishing, no known hacker group claimed responsibility for the cyber attack on HBH. The healthcare provider also did not share details on who was behind the attack, how much data was compromised, or whether it has received a ransom demand.