Cyber Incident Victim: New York Psychotherapy and Counseling Center
Date:
Sep 2021
Location:
United States of America
Summary
The New York Psychotherapy and Counseling Center experienced unauthorized third-party access to an internal computer server containing patient information, potentially compromising protected health data including names, addresses, dates of service, Medicaid IDs, and dates of birth. The breach involved exfiltrated files and reports with sensitive details, though the specific scope of accessed or acquired information remained undetermined. No additional systems beyond the targeted server were confirmed as affected by the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 11, 2021, the New York Psychotherapy and Counseling Center (NYPCC) identified unauthorized third-party access to a computer server within their office infrastructure. The breach discovery occurred on the same day the intrusion took place, though the exact duration of unauthorized access prior to detection was not disclosed. The compromised server stored internal organizational reports and operational files, some of which contained protected health information (PHI) belonging to patients. Based on NYPCC’s investigation, the exposed data fields potentially included patient names, dates of service, residential addresses, Medicaid identification numbers, and dates of birth. No evidence suggested the attackers accessed systems beyond this specific server. The center did not publicly confirm whether the intrusion involved malware deployment, data encryption, or explicit ransom demands, nor did they disclose the intrusion method used by the threat actor.
The incident exposed sensitive patient identifiers and government program participation details through Medicaid IDs, increasing risks of identity theft and insurance fraud. NYPCC did not specify the total number of affected individuals in available notifications, nor did they indicate whether they reported the breach to federal regulators under HIPAA requirements. The organization’s public disclosure lacked technical details regarding containment measures, forensic investigation methodologies, or post-incident security enhancements. Internal reports compromised in the breach could have contained additional operational or administrative data beyond the confirmed PHI elements. Patients faced potential misuse of their Medicaid identifiers, which could facilitate fraudulent billing or service requests within public healthcare systems. The absence of disclosed patient impact figures limited public assessment of the breach’s scale relative to other healthcare incidents reported during the same period.