Cyber Incident Victim: Summit Behavioral Healthcare

Summit Behavioral Healthcare, LLC (SBHC) detected suspicious activity involving employee personal information in late May 2020, prompting an investigation into specific email accounts. The organization engaged a third-party digital forensics firm to analyze the incident, which revealed potential unauthorized access to two employee email accounts. The forensic investigation concluded on January 21, 2021, confirming that protected health information (PHI) belonging to patients had been present in the compromised email accounts. While the exact timeline of unauthorized access wasn't specified, the incident window spanned from the initial detection in May 2020 through the investigation's completion in January 2021. The breach exposed sensitive patient data, though the notification didn't quantify the number of affected individuals or specify whether the attackers exfiltrated data beyond accessing the accounts.

SBHC implemented additional security measures for its email systems and overall data security infrastructure following the investigation. The organization began mailing notification letters to potentially impacted individuals after the January 2021 conclusion date, detailing the incident's nature and listing the specific types of compromised information. Affected parties received guidance on monitoring and protecting their personal data, supplemented by a dedicated toll-free call center (833-726-0935) established to address inquiries and concerns. SBHC publicly acknowledged the incident on February 26, 2021, emphasizing the priority placed on PHI security and expressing regret for potential inconveniences caused to patients. No ransomware involvement, financial theft, or operational disruptions beyond the email account compromise were disclosed in the public statement.