Cyber Incident Victim: Gateway Rehab
Date:
Jul 2022
Location:
United States of America
Summary
A Pennsylvania-based addiction rehabilitation organization experienced a ransomware attack by the BlackByte group, resulting in the exfiltration and leak of over 4 GB of sensitive data. The compromised information included internal financial records, patient spreadsheets, and hundreds of historical files detailing personal and clinical information from community treatment programs. Specific leaked documents contained arrest histories, behavioral health records, and termination reports for individuals enrolled in services, exposing highly sensitive substance use and rehabilitation details. The attackers employed a double extortion model, threatening further leaks unless demands were met, though the organization's response and final data disposition remained unclear following the takedown of BlackByte’s original leak site.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July 2022, Gateway Rehab, an addiction rehabilitation organization operating in western Pennsylvania and Ohio, experienced a cybersecurity incident involving the BlackByte ransomware group. BlackByte claimed responsibility for the attack and subsequently leaked over 4 GB of the organization’s data on their dedicated leak site. The leaked data included internal business documents such as accounts receivable and payable records, alongside spreadsheets containing personally identifiable information of named patients. Additionally, hundreds of historical files from community treatment programs were exposed, including sensitive personal details. Among the compromised documents were Pennsylvania "Extraordinary Occurrence" report forms dating from 2001 to 2005, which identified individuals who had absconded from Gateway Rehab’s programs. These reports contained highly sensitive information, including arrest records, behavioral histories, substance use issues, and program termination or re-classification recommendations.
BlackByte employed a double extortion model, encrypting data while threatening further leaks unless ransom demands were met. The group set an 18-day countdown timer for Gateway Rehab, indicating additional data would be published upon expiration. When questioned by DataBreaches.net, BlackByte justified their actions by criticizing Gateway Rehab’s data protection practices, stating they had offered "a favorable price for correcting their mistakes" but claimed the organization preferred risking regulatory fines. No public statements from Gateway Rehab regarding notifications to affected individuals or incident response measures were reported in the source material. By August 2022, BlackByte’s original leak site had shut down, and their new site no longer listed earlier victims, leaving the status of Gateway Rehab’s exfiltrated data unclear. The article noted that HHS would likely investigate the incident if formally reported, particularly to assess compliance with security regulations, though no confirmation of such reporting was provided.