Cyber Incident Victim: Hope Health Systems

On June 20, 2022, Hope Health Systems, Inc. (HHS) detected a potential cybersecurity incident when portions of its computer network became encrypted. The Maryland-based mental health services provider immediately engaged an external cybersecurity firm to investigate the event. Forensic analysis confirmed unauthorized access to HHS systems had occurred starting June 10, 2022, ten days prior to detection. By August 24, 2022, investigators determined that encrypted files contained sensitive patient information, though they could not verify whether attackers actually viewed or exfiltrated this data. The compromised records included names, addresses, dates of birth, Social Security numbers, driver's license numbers, health insurance details, and medical information. HHS completed its review of affected files on October 18, 2022, identifying all impacted individuals across its three Maryland facilities in Woodlawn, Greenspring, and Carroll County.

HHS formally reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights on November 21, 2022, and initiated notification letters to affected patients the same day. The 134-employee organization, which generates $36 million annually from mental health and substance abuse services, confirmed the incident exposed data from both institutional and outpatient treatment settings. While the breach notification did not specify the total number of affected patients, it acknowledged variations in compromised data elements per individual. No ransomware group claimed responsibility, and HHS made no public statements regarding payment demands or system restoration timelines. The company's disclosure emphasized the potential risks of identity theft and fraud stemming from exposed personal and medical information but provided no evidence of actual misuse occurring post-breach.