DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update: SERV Behavioral Health System Issues Notice of Breach

Posted on September 20, 2022 by Dissent

On August 6, DataBreaches reported that the Hive ransomware team claimed to have attacked SERV Behavioral Health System and encrypted SERV’s files on May 26. The listing was added to Hive’s site on July 14. SERV did not respond to email inquiries from DataBreaches in July.

Time passed, but Hive never added any “proof pack” or data leak to their listing for SERV.  And that’s where things remained until SERV issued a statement and notice to HHS on September 9 about the incident.

Their investigation, however, could neither confirm nor rule out that files had been accessed or acquired.  “While we are unaware of any actual or attempted misuse of your information as a result of this incident, we are providing this notice out of an abundance of caution,” SERV writes.

Hive often provides victims with samples of files. Did Hive provide any data to SERV? If not, did SERV request any proof or file list or anything?  And if they didn’t, why didn’t they?

So more than three months after they discovered an incident, SERV did not apologize for late notification to patients (HIPAA requires notice no later than 60 calendar days from discovery) and claimed they were notifying out of an abundance of caution?

Again, for the people in the upper deck who maybe didn’t hear this the first few thousand times: it is NOT an “abundance of caution” to notify if you are unsure what happened. The presumption is to notify unless you can prove there is no risk.  If you don’t know what happened, but it could have involved PHI, notify and stop suggesting you don’t have to. Think my advice is legally incorrect? It may be as I am not a HIPAA lawyer, but even if it is not obligatory to notify in this type of situation, I believe it should be considered at least best practice.

SERV reported the incident to HHS as impacting 8,110 patients.

DataBreaches asked Hive whether they would provide proof in light of SERV’s statement that they could not confirm data had been accessed. Hive replied, “No comment.”  SERV is their second medical sector breach that they have neither provided a proofpack for nor dumped, but the only one to claim that they were not sure data had been accessed or acquired.

 

Category: Breach IncidentsCommentaries and AnalysesHealth DataMalwareU.S.

Post navigation

← Scoop: Tift Regional Medical Center victim of ransomware attack in July
Ask.FM user database with 350m user records has shown up for sale (UPDATED with Denial from Ask.FM) →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.