Cyber Incident Victim: Riverside Community Care
Date:
Oct 2020
Location:
United States of America
Summary
Riverside Community Care, a behavioral healthcare provider, experienced a ransomware incident where attackers exfiltrated and publicly leaked sensitive data. The compromised information included staff personal details such as names, home addresses, and cellphone numbers, alongside protected health information like patient discharge summaries listing medications and a home health care plan detailing a schizophrenia diagnosis. Despite evidence of the breach being posted on a dedicated leak site, the organization did not publicly acknowledge the incident, issue patient notifications, or appear on regulatory breach reports at the time of the article's publication.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 21, 2020, ransomware threat actors operating under the name Conti added Riverside Community Care Inc. to their dedicated leak site following a cyberattack. Riverside, a Massachusetts-based provider of behavioral healthcare and human services for children, families, and adults, was confirmed as a HIPAA-covered entity. Conti actors posted multiple files as proof of data exfiltration, including one containing staff members' names, home addresses, and cellphone numbers. Another file contained a patient discharge summary listing medications, while a third file exposed a named patient’s home health care plan with full personal details and a schizophrenia diagnosis. The attackers publicly disseminated these records to pressure Riverside into paying a ransom, marking a shift from previous ransomware models where data was typically held for private sale rather than openly distributed. Conti’s leak site operated on both dark web and clearnet platforms, increasing accessibility to the stolen data. DataBreaches.net identified the incident on the leak site and contacted Riverside via email on October 21, detailing the specific types of exposed protected health information (PHI) and personally identifiable information (PII). The compromised data included clinical and administrative records, reflecting the organization’s operations across behavioral health and community programs.
Riverside Community Care did not respond to DataBreaches.net’s inquiries or issue any public statements about the breach as of November 8, 2020. No breach notification appeared on the organization’s website, and no filing was visible on the U.S. Department of Health and Human Services (HHS) public breach portal, despite HIPAA’s requirement to report breaches affecting 500 or more individuals within 60 days of discovery. The absence of disclosures left patients and staff unaware that their sensitive data, including psychiatric diagnoses and contact information, was circulating among criminals. Conti’s data dump exposed individuals to risks of identity theft, targeted scams, and medical privacy violations, compounded by the lack of guidance from Riverside on protective measures. The incident formed part of a broader pattern involving Conti, which listed six healthcare entities on its leak site between August and October 2020, none of which had issued public notifications or regulatory filings at the time of reporting. Riverside’s operational scope—spanning clinical care, community services, and employee records—suggested wide-ranging exposure across its systems, though the full data exfiltration volume remained unconfirmed due to the organization’s non-disclosure. The attackers’ selective publication of files implied further unreleased data might exist, heightening uncertainties for affected parties.