Cyber Incident Victim: Rehabilitation Support Services
Date:
Jun 2021
Location:
United States of America
Summary
A threat actor known as "Grief" compromised Rehabilitation Support Services, a provider of psychiatric and substance abuse support across multiple New York counties, exfiltrating approximately 4 GB of sensitive data. The stolen information included internal company documents, financial records, health insurance details, medical certifications, and personally identifiable information such as Social Security numbers, driver’s licenses, and client lists including children and nursing home residents. Grief threatened to publish the data incrementally unless the organization responded, though no encryption of files was confirmed. The organization did not publicly acknowledge the incident or respond to inquiries, leaving potential exposure risks for affected clients and employees due to the highly sensitive nature of the compromised data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 2, 2021, threat actors identifying themselves as "Grief" claimed to have breached Rehabilitation Support Services, Inc. (RSS), a New York-based agency providing psychiatric and substance abuse rehabilitation services across 13 counties. The attackers stated they had compromised RSS's network and exfiltrated approximately 4 GB of data from file servers, including internal company documents, personal information, and customer data. Grief announced their intention to publish the stolen data incrementally unless the organization responded, with their final update on the incident posted by June 29. The compromised data was organized into folders labeled "Accounts," "Misc," "Property," "Financial," "Docs," "TimeSheets," "Audits – Financial Statement," "Accrual Reports," and "Clinton Avenue Housing," containing financial records such as balance sheets, tax documents, checks, deposits, bank statements, invoices, capital project summaries, and preliminary estimated projections. Additional materials included site plans, health insurance details, and operational documents like loan applications, repayment transmittal forms, resume reference requests, and healthcare certifications.
The exfiltrated data contained sensitive personal information, including Social Security numbers and driver’s license numbers belonging to both clients and employees. Medical documentation, nursing home resident lists, children’s lists, and COVID-19-related records were also identified in the breach. Despite multiple email inquiries from Databreaches.net to RSS across various addresses, the organization provided no public response or acknowledgment of the incident, and no confirmation emerged regarding whether file encryption occurred. The absence of ransomware encryption tactics suggested the primary impact stemmed from data theft rather than operational disruption. Given the nature of the exposed information—particularly healthcare details and personally identifiable information—the incident warranted potential notifications to affected patients and employees, though RSS’s public silence left the scope of any mitigation efforts unverified. The breach exposed vulnerabilities in RSS’s data security practices, impacting trust for a provider serving over 3,000 individuals annually through residential group homes, case management, supported employment, and recovery programs.