Cyber Incident Victim: The Southeastern Council on Alcoholism and Drug Dependence, Inc.
Date:
Feb 2019
Location:
United States of America
Summary
The Southeastern Council on Alcoholism and Drug Dependence experienced a ransomware attack that disrupted its network, potentially exposing personal and medical information of patients. Following the incident, an investigation with third-party forensic experts found no evidence of actual data access but confirmed the possibility of exposure to names, addresses, Social Security numbers, medical histories, and treatment details. The organization notified affected individuals and offered complimentary credit monitoring and identity protection services as a precaution, while establishing a dedicated assistance line for inquiries. No misuse of information had been reported at the time of disclosure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 18, 2019, the Southeastern Council on Alcoholism and Drug Dependence, Inc. (SCADD) identified disruptions within its network operations. Subsequent analysis confirmed a ransomware infection had compromised organizational systems. SCADD immediately initiated an investigation with assistance from third-party forensic specialists to assess the incident's origin, scope, and potential data exposure. The forensic review focused on determining whether attackers accessed or exfiltrated sensitive information during the network compromise. While investigators found no conclusive evidence that personal or medical data was actively viewed or acquired by unauthorized parties, they acknowledged the theoretical possibility of access due to the ransomware's presence on systems containing protected information. The systems involved stored patient names, physical addresses, Social Security numbers, medical treatment histories, and clinical details related to substance abuse treatment programs. SCADD secured its network infrastructure following containment of the ransomware but could not definitively rule out incidental exposure of sensitive records during the encryption event.
SCADD formally notified the U.S. Department of Health and Human Services (HHS) about the breach under HIPAA regulations, reporting that 25,148 individuals receiving addiction treatment services were potentially affected. The organization began mailing individual notification letters to all impacted patients on May 10, 2019, advising them of the incident's nature and the categories of exposed data. As a precautionary measure, SCADD offered complimentary credit monitoring and identity theft protection services to those whose Social Security numbers or medical information resided on the compromised systems. A dedicated assistance hotline operated during weekday business hours was established to address patient inquiries regarding the breach. Public disclosure through a press release emphasized that no instances of identity fraud or medical information misuse had been detected post-incident, though the notification urged vigilance in reviewing financial statements and explanation of benefits forms. The organization did not disclose whether ransom demands were made or paid, nor did it identify the specific ransomware variant involved in the attack.