New Horizons Medical provides outpatient mental health and substance abuse treatment services in Fitchburg and Haverhill, Massachusetts. In 2024, they were acquired by the Lawrence Medical Center.
Today, the DevMan blog listed New Horizons Medical on its dark web leak site, with a countdown clock indicating less than 4 days left. The listing did not include any screenshots or proof of claims. It simply claimed that “90k 236gb” of data had been acquired.
DataBreaches emailed New Horizons Medical to ask whether they had confirmed any breach and whether DevMan, a RaaS operation, had encrypted any of their files. No reply has been received despite a second request, so there is no confirmation of any cyberattack at this time.
If New Horizons Medical did have a data breach, however, it would not be its first. In February 2023, it experienced a ransomware attack, with access and exfiltration continuing until April 23, 2023. New Horizons discovered the intrusion on April 19 and sent notification letters to affected patients and employees in June. A total of 12,317 patients were affected.
According to their notification letter in 2023:
For patients, the information may have included names and one or more of the following: addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, medical records numbers, health insurance plan member IDs, claims data, diagnoses, and prescription information. For employees, the information may have included names and one or more of the following: Social Security numbers, driver’s license numbers, financial account information, and health insurance plan member IDs.
At that time, New Horizons Medical wrote that to help prevent something like this from happening again, they were implementing additional safeguards and technical security measures to further protect and monitor its systems.
So what happened now, if anything did happen?
This post will be updated if a reply is received or more information becomes available.