South Jersey Behavioral Health Resources has disclosed that they were hit with a ransomware attack on April 3. They do not indicate what group attacked them, or what any ransom demand may have been, and DataBreaches has not seen this incident on any leak site to date.
According to their notification, “The investigation remains ongoing, and at this time, SJBHR is unaware if any data related to individuals was subject to unauthorized access and/or acquisition.” They say they are notifying in — wait for it: “an abundance of caution.” The types of personal information that SJBHR maintains on its systems that could potentially be involved include an individual’s name and contact information, Social Security number, date of birth, medical record number, treating/referring physician, health insurance information, subscriber number, medical history information, diagnosis/treatment information.
It is not clear who they are notifying at this point if they don’t know if any data related to individuals was even accessed. Are they notifying everyone or are they not sending individual notifications yet? DataBreaches has sent an inquiry to them and will update this post when a reply is received. But then there’s this:
An Earlier Breach
When DataBreaches looked at SJRBHR’s website, it appeared that they had reported another incident just four days earlier — on March 30. That incident appeared to be a business email compromise that compromised some protected health information but did not provide all the data the threat actor had requested.
South Jersey does not seem to see any connection between the two data security incidents.
Do you believe in coincidences?