On September 1, a listing on a dark web site by a group calling themselves Don#t_Leaks named MonarchNC as a victim. The listing did not appear for long. The only “proof” offered at the time was a filetree and a screencap of what might be an index of an inbox showing monarchnc.org domain in email addresses; other writing was in Arabic.
Monarch has now notified HHS of a breach that impacted 56,155 patients. But there is no notice on Monarch’s web site that explains the incident or provides any details about any incident involving this provider of mental health and substance use disorder services to clients. A search of archive.org for past home pages of the website also failed to uncover any substitute notices or alerts on their web site.
Monarch has yet to respond to inquiries sent to it by DataBreaches asking whether the bad actors had encrypted files, whether Monarch had paid to get a decryption key, and whether Monarch had paid to get any patient data deleted.
This post will be update when more information becomes available, but some explanation is needed for why the delay in notification and whether patients have been fully notified as to what happened.
Update 1: On December 16, Monarch also reported this incident to Massachusetts, indicating that they first became aware of a problem on August 29, 2022. They do not say how they became aware, and they do not indicate whether files were encrypted, although they do say it was a ransomware incident. So we are still missing a lot of information but patients have probably received notification letters by now.