Retreat Behavioral Health (RBH) has addiction treatment facilities in Florida, Pennsylvania, and Connecticut. On July 1, 2022, they reportedly detected a ransomware attack. Letters were sent out this week, but because Massachusetts actually prohibits entities from providing important details in notifications to consumers, there’s a lot we don’t know about this incident yet.
Specifically, the letter does not indicate what ransomware group was involved, whether any files were encrypted by the attackers, whether there was a ransom demand, and if so, whether RBH paid ransom.
DataBreaches has not spotted this incident or victim on any leak site, and because no notice was easily found on their website, DataBreaches sent inquiries via the site’s contact form. Hopefully, they’ll respond.
In the interim, here’s their notification to Massachusetts: https://www.mass.gov/doc/assigned-data-breach-number-28814-retreat-behavioral-health/download.
The incident is not on HHS yet, so we do not yet have the number of patients affected.
Update: the incident was reported to Maine as impacting a total of 23,620 patients. The types of information that may have been compromised include first and last name, address, Social Security number, and, in some cases, date of birth and medical and treatment information.
As of Jan. 12, this incident still has not appeared on HHS’s breach tool or on any leak site.
Where is the information for the class action
Haven’t seen one yet, but I’m sure some ransomware-chasing law firm will claim to be investigating and blahblahblah….
Well, my deets are out there, someone let me know when there’s a class-action. This is ridiculous. I just got my letter today.