Cyber Incident Victim: Horizon House

On March 5, 2021, Horizon House, Inc., a Philadelphia-based mental health and residential treatment services provider, detected suspicious activity on its IT network. An investigation determined that unauthorized actors had accessed Horizon House systems between March 2 and March 5, 2021, during which time they deployed ransomware and exfiltrated sensitive data. The cyberattack compromised personal and medical information belonging to 27,823 individuals. Forensic analysis revealed the attackers obtained names, addresses, Social Security numbers, driver's license numbers, state identification card numbers, dates of birth, financial account information, medical claim details, medical record numbers, patient account numbers, medical diagnoses, treatment information, and health insurance data. Horizon House publicly disclosed the breach through a security notice but did not specify whether ransom demands were made or paid.

The organization completed a review of compromised files and began notifying all affected individuals following the investigation. Impacted parties received guidance to monitor for fraudulent activity stemming from the exposure of their sensitive information. No additional technical containment measures or system restoration details were publicly documented beyond the detection timeline. The incident exposed highly sensitive psychotherapy-related data alongside traditional identifiers and financial records, significantly elevating privacy risks for victims. Horizon House did not report operational disruptions to clinical services but confirmed the breach involved both data theft and encryption via ransomware. Regulatory notifications were made in compliance with healthcare data breach requirements, though specific agencies were not named in the disclosure.