DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Crossroads Health of Lake County discloses breach affecting former Beacon Health patients

Posted on March 4, 2022 by Dissent

It’s not a huge breach in terms of numbers compared to other breaches we’ve seen, but an incident reported by Crossroads Health in Ohio caught my eye because once again, it was old (legacy) data that was accessed and exfiltrated.

In an undated statement on their website, Crossroads explains that an unauthorized party gained access to their systems from November 21, 2021 to January 18, 2022 and removed some files.

Crossroads does not indicate why they only first identified the incident on January 18 instead of months earlier when it began, but less than one week after identifying that there was an incident, they determined that the exfiltrated files were from a legacy system that held information on clients of Beacon Health, a behavioral health facility that merged with Crossroads.

Beacon Health had provided services to adults with mental illness and addiction disorders, and the merger took place in July, 2019. Alt

hough Crossroad’s notification doesn’t give any indication of how far back the data on the Beacon Health system might extend, they reported to HHS that 10,324 patients were being notified.

Analysis of the files in the compromised system found that they contained: names, contact information, dates of birth, Social Security numbers, driver’s license numbers, treatment and diagnosis information, and/or health insurance information for the Beacon Health patients.

Concerned individuals can read the rest of the notice on Crossroads Health’s website.

But the point of including this incident on this blog is to point out that legacy data or old data continues to pose a risk of significant breaches.  This site has reported on a number of incidents in the past year from both the education sector and the healthcare sector where there was old — and in some cases, really, really old data on systems that were attacked.

If you don’t need the data for current operations, then why not encrypt it and take it offline (if you are not legally permitted to purge it)? It’s often cheaper to prevent breaches than to respond to them.  What would it cost you to do secure and take old data offline versus what it would cost you to investigate an incident, track down ten thousand or more patients — many of who may have moved or passed on — send notifications offering mitigation services that also cost you, and then defend an almost inevitable lawsuit? And then, of course, there’s also the issue of an investigation by HHS OCR and/or state attorneys general.

 

Related posts:

  • Beacon Health System notifies patients after phishing attack (update2)
  • Stanford researchers identify potential security hole in genomic data-sharing network
Category: Health DataU.S.

Post navigation

← The Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts (PROMESA) discloses 2020 data breach
PA: Fleetwood Area School District hit by ransomware →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.