Cyber attack on U.S. drug rehab service BHR exposed more than 50,000 patients

American substance use treatment provider Behavioral Health Resources said the data security incident it suffered last year compromised the sensitive personal information of more than 50,000 individuals.

 

Based in Olympia, Washington, Behavioral Health Resources is a multi-county provider of behavioural health and substance abuse disorder treatment services. The treatment provider operates in the state of Washington’s Thurston, Mason and Grays Harbor Counties.

 

In a data security incident notice posted on its website, BHR said that on November 20, it identified suspicious activity in its internal network. The healthcare provider immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“The investigation determined that on or before November 20, 2024, an unauthorised actor gained access to certain systems and that certain information contained in those systems was accessible,” it said.

 

The compromised data included patients’ names, addresses, dates of birth, Social Security numbers, telephone numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, biometric and genetic data, full face photographic images, birth and marriage certificates, tribal IDs, government-issued IDs, taxpayer identification numbers, digital signatures, financial institution names, medical billing information, medical information and other health-related information and more.

 

BHR reported the incident to the Office of Maine Attorney General, stating that it identified at least 50,083 individuals who were impacted by the incident.

 

“Upon learning of this event, we launched an investigation and worked to assess the security of BHR’s computer environment. As part of our ongoing commitment to information security, we are also reviewing our existing policies and procedures and implementing safeguards to further secure the information in our care,” BHR added.

 

BHR has urged all affected individuals to remain vigilant and monitor their credit reports and financial statements for any suspicious activities and to report suspicious activities to relevant law enforcement authorities and their banks. It has also offered complimentary credit monitoring and identity theft protection services via Equifax to all affected individuals.

 

At the time of publishing, no known hacker group claimed responsibility for the cyber attack on BHR. The healthcare provider also did not share details on who was behind the attack, how much data was compromised, or whether it has received a ransom demand.