In July, DataBreaches.net reported that threat actors calling themself “Grief” claimed to have attacked NY-based Rehabilitation Support Services (RSS), an agency that provides services to more than 3,000 individuals with psychiatric and substance abuse disorders each year.
Grief claimed to have exfiltrated 4 GB of data from RSS, and offered some small proof of claim. For its part, RSS repeatedly ignored inquiries sent by this site asking them to confirm or deny Grief’s claims.
On September 10, Rehabilitation Support Services, Inc. (RSS) issued a press release that claims that they “recently” learned of an incident.* In any event, they announced that the incident might affect the security of its employees’ and clients’ data. To their credit, their notification clearly states that data was published on a dark web website. Letters were sent to affected individuals on September 8.
The information accessed by the unauthorized actor varies per individual but may include: name, address, date of birth, Social Security number, health insurance information, and/or medical diagnosis or treatment information.
The notification does not indicate how many employees and clients had protected health information involved. The incident has not appeared on HHS’s public breach tool by the time of this posting.
You can read the full press release on RSS’s web site.
**Note: I wish someone would stop entities from claiming they recently learned about an incident when they first discovered suspicious activity three months ago or more.