DataBreaches.net has found two behavioral health entities that reportedly or allegedly experienced recent cyberattacks involving protected health information of patients.
The first, Behavioral Health Partners of Metrowest (BHPMW), describes itself as a partnership that brings together leading social services and behavioral health agencies serving the Greater MetroWest region of Massachusetts. Together, they write, Family Continuity, Advocates, South Middlesex Opportunity Council (SMOC), Spectrum Health Systems, and Wayside Youth & Family Support Network provide services in mental health, substance use and addiction, housing, and social support for people of all ages.
Between September 14, 2021 and September 18, 2021, BHPMW’s systems was accessed by an unknown party. The breach was first discovered on October 1, 2021. The types of information involved include name, Social Security Number, date of birth, medical information, health insurance information, and other information. The report to the Maine Attorney General’s Office indicates that 11,288 people were affected. Letters to those affected were mailed on May 11,2022.
Allwell Behavioral Health Services is a private, not-for-profit provider of comprehensive community mental health services in Ohio. Data that appear to be theirs has been leaked on a dark web leak site by individuals who claim to have 200 GB of Allwell’s files. The data listed on the leak site is April 4, 2022, but it is not clear whether that refers to the date the system was attacked or the date the organization was added to the leak site.
Inspection of some of the files in the data leak reveal some personnel information as well as patients’ protected health information such as name, date of birth, phone number, prescription information, medical conditions, and health insurance information.
There is nothing on Allwell’s website at the time of this publication, and Allwell has not responded to emailed inquiry sent yesterday by the time of this publication. The leak site does not seem to have posted any contact information for the blog itself that would enable DataBreaches to ask it some questions about the claimed incident.
Update of May 24: Allwell notified the Montana AG’s Office on May 23. Their notification indicates that the intrusion occurred on March 2 and was detected on March 5. There is no mention of files being encrypted or any ransom or extortion demand. The letter indicates that HHS has been notified, but as the incident has not yet been posted on HHS’s public breach tool, we do not have any number affected yet.