DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Crossroads Health of Lake County discloses breach affecting former Beacon Health patients

Posted on March 4, 2022 by Dissent

It’s not a huge breach in terms of numbers compared to other breaches we’ve seen, but an incident reported by Crossroads Health in Ohio caught my eye because once again, it was old (legacy) data that was accessed and exfiltrated.

In an undated statement on their website, Crossroads explains that an unauthorized party gained access to their systems from November 21, 2021 to January 18, 2022 and removed some files.

Crossroads does not indicate why they only first identified the incident on January 18 instead of months earlier when it began, but less than one week after identifying that there was an incident, they determined that the exfiltrated files were from a legacy system that held information on clients of Beacon Health, a behavioral health facility that merged with Crossroads.

Beacon Health had provided services to adults with mental illness and addiction disorders, and the merger took place in July, 2019. Alt

hough Crossroad’s notification doesn’t give any indication of how far back the data on the Beacon Health system might extend, they reported to HHS that 10,324 patients were being notified.

Analysis of the files in the compromised system found that they contained: names, contact information, dates of birth, Social Security numbers, driver’s license numbers, treatment and diagnosis information, and/or health insurance information for the Beacon Health patients.

Concerned individuals can read the rest of the notice on Crossroads Health’s website.

But the point of including this incident on this blog is to point out that legacy data or old data continues to pose a risk of significant breaches.  This site has reported on a number of incidents in the past year from both the education sector and the healthcare sector where there was old — and in some cases, really, really old data on systems that were attacked.

If you don’t need the data for current operations, then why not encrypt it and take it offline (if you are not legally permitted to purge it)? It’s often cheaper to prevent breaches than to respond to them.  What would it cost you to do secure and take old data offline versus what it would cost you to investigate an incident, track down ten thousand or more patients — many of who may have moved or passed on — send notifications offering mitigation services that also cost you, and then defend an almost inevitable lawsuit? And then, of course, there’s also the issue of an investigation by HHS OCR and/or state attorneys general.

 

Category: Health DataU.S.

Post navigation

← The Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts (PROMESA) discloses 2020 data breach
PA: Fleetwood Area School District hit by ransomware →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.