On September 25, 2023, Riverdale Mental Health d/b/a Mosaic Mental Health (“MOSAIC”) notified HHS of an incident that affected 7,281 patients. The incident was coded as a “hacking/IT incident” involving their network, but no further details were available at the time.
On April 3, more than six months later, they sent out notification letters. Massachusetts limits what entities can disclose, but their notification to Massachusetts residents states:
On October 6, 2023, MOSAIC’s anti-malware program detected and isolated unauthorized activity within its computer systems (the “Incident”). Upon being alerted of the Incident, MOSAIC engaged a specialized incident response vendor to conduct a forensic investigation to determine the extent and root cause of the incident. The forensic investigation concluded that protected health information may have been accessed by an unauthorized user. As such, MOSAIC is notifying all those clients whose information may have been impacted as a result of the Incident.
If that timeframe is accurate, how did they report the incident to HHS on September 25 as affecting 7,281 patients?
An October 2023 report by HIPAA Journal states that the breach was discovered on July 27, 2023. That makes more sense. Unfortunately, HIPAA Journal doesn’t link to any source for their report.
But where is the explanation for why it took so long to notify patients?
DataBreaches emailed MOSAIC to inquire about the timeframe and to ask why it took so long to notify patients. No group ever claimed responsibility for this incident, but was this a ransomware attack or hack with an extortion demand? Was data exfiltrated or just accessed?
No reply was received by publication, but this post will be updated if a reply is received.
Re: An October 2023 report by HIPAA Journal – There was a breach notice on the Mosaic website in October that provided details that we included in the report, but that notice is no longer on the site.
Steve, The HIPAA Journal.
That’s what I guessed. Thanks for confirming it, Steve.