DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Behavioral health entities in Massachusetts and Ohio reportedly victims of cyberattacks

Posted on May 18, 2022 by Dissent

DataBreaches.net has found two behavioral health entities that reportedly or allegedly experienced recent cyberattacks involving protected health information of patients.

The first, Behavioral Health Partners of Metrowest (BHPMW), describes itself as a partnership that brings together leading social services and behavioral health agencies serving the Greater MetroWest region of Massachusetts. Together, they write, Family Continuity, Advocates, South Middlesex Opportunity Council (SMOC), Spectrum Health Systems, and Wayside Youth & Family Support Network provide services in mental health, substance use and addiction, housing, and social support for people of all ages.

Between September 14, 2021 and September 18, 2021, BHPMW’s systems was accessed by an unknown party. The breach was first discovered on October 1, 2021. The types of information involved include name, Social Security Number, date of birth, medical information, health insurance information, and other information. The report to the Maine Attorney General’s Office indicates that 11,288 people were affected. Letters to those affected were mailed on May 11,2022.

Allwell Behavioral Health Services is a private, not-for-profit provider of comprehensive community mental health services in Ohio. Data that appear to be theirs has been leaked on a dark web leak site by individuals who claim to have 200 GB of Allwell’s files. The data listed on the leak site is April 4, 2022, but it is not clear whether that refers to the date the system was attacked or the date the organization was added to the leak site.

Inspection of some of the files in the data leak reveal some personnel information as well as patients’ protected health information such as name, date of birth, phone number, prescription information, medical conditions, and health insurance information.

There is nothing on Allwell’s website at the time of this publication, and Allwell has not responded to emailed inquiry sent yesterday by the time of this publication. The leak site does not seem to have posted any contact information for the blog itself that would enable DataBreaches to ask it some questions about the claimed incident.

Update of May 24: Allwell notified the Montana AG’s Office on May 23. Their notification indicates that the intrusion occurred on March 2 and was detected on March 5. There is no mention of files being encrypted or any ransom or extortion demand. The letter indicates that HHS has been notified, but as the incident has not yet been posted on HHS’s public breach tool, we do not have any number affected yet.

 

Related posts:

  • U.S. medical entities fall prey to Pysa threat actors, but many haven’t disclosed it – at least, not yet.
  • Pysa shuttered its leak site before it ever dumped data from more than half a dozen schools. Here’s what we know so far.
Category: Breach IncidentsHealth DataOf NoteU.S.

Post navigation

← Update: More than 90,000 South Australian public servants now involved in payroll data breach
Immediate care facility in Chicago hacked in December. Do patients know? (UPDATE1) →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.