On January 17, Behavioral Health Resources (“BHR”) notified the U.S. Department of Health and Human Services (HHS) of a reportable breach, but not yet having determined the number affected, they used “501” as a placeholder. They also published a preliminary notice on their website. That notice indicated that on or about November 20, 2024, they had become aware of suspicious activity in their network.
By mid-January, the investigation had not confirmed that any information was actually viewed or exfiltrated, but BHR reported that based on the types of information stored on its system, any information accessed or acquired could have included “full name including maiden name, address, date of birth, Social Security number, telephone and/or fax number, medical record number, health plan beneficiary number, account number, certificate/license number, biometric and/or genetic data, full face photographic image, birth and/or marriage certificate, tribal ID, government-issued ID, taxpayer identification number (TIN), electronic/digital signature, financial institution name, medical billing information, medical information (including diagnosis and/or condition information, treatment information, lab results, provider name, physician, patient ID, medication information, admission date, discharge date, treatment cost information, and date of death), other healthrelated information and incidental health references, and health insurance information.”
On April 17, BHR provided an updated disclosure to the Maine Attorney General’s Office. Still reporting that their investigation could not conclusively determine whether data had actually even been viewed or accessed, they reported that a total of 50,083 people were being notified.
A check of HHS’s public breach tool today still shows the “501” placeholder, so it’s not yet clear whether BHR updated its report to HHS too. No ransomware gang or extortion group has ever publicly claimed responsibility for this incident or leaked data from it.
DataBreaches notes that there was another incident involving another BHR which was Behavioral Health Response in Missouri. That one was hit by INC Ransom, and there is no connection between the two BHR’s.