Behavioral Health Group (BHG), an outpatient opioid treatment and recovery center in the US, has started informing nearly 200,000 patients that their information was stolen by threat actors more than eight months ago during a cybercriminal campaign.
BHG admitted that the attacks happened in December last year, and the extortion from hackers was also seen at that time.
A cybersecurity firm reported that the recovery center and its 80 clinics experienced nearly seven days without IT systems that hindered the patients’ care since the attack temporarily forced the clinics to shut down some parts of their networks.
The attack resulted in delays of patients’ medications, as the computer in charge of printing prescriptions was also offline. At that instance, the specific type of attack was still a mystery.
Moreover, BHG’s notice confirmed that the December cybersecurity attack incident enabled the threat actors to remove some files and folders from portions of the network before the consecutive attacks on December 5 last year.
The investigation revealed that the actors included numerous patients’ data in the removed files. The data stolen from the attack could consist of Social Security numbers, patient names, driver’s licenses, passports, health insurance information, diagnoses, prescriptions, treatments, dates of service, and medical record numbers.
BHG recovery center increased its cyber defence after the cyberattacking incident.
BHG has made its IT network more potent against cyberattacks after it suffered the breach last year. The entity reset all its account passwords, fortified password requirements, added MFA authentication, upgraded its endpoint detection software, implemented a third-party security solution, and trained its employees in spotting threats.
In a related incident, more than a hundred thousand patients were affected by a security event in the First Choice Community Healthcare in New Mexico. The company has informed them that their personal and protected health information was accessed and stolen by unknown threat actors last March.
The notice did not reveal a detailed description of the attack, the specific threat behind the incident, or the delays before reporting it to the patients. Researchers now believe that the patients’ data is identical to the information mentioned earlier.
