Cyber Incident Victim: Behavioral Health Partners of Metrowest
Date:
Sep 2021
Location:
United States of America
Summary
Behavioral Health Partners of Metrowest experienced a data breach where an unauthorized actor accessed its network and exfiltrated sensitive information affecting 11,288 patients. The intrusion occurred over several days, compromising names, contact details, Social Security numbers, dates of birth, health insurance information, diagnoses, and treatment data. The organization secured its systems, engaged external cybersecurity experts for investigation, and reported the incident to law enforcement authorities for further action.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Behavioral Health Partners of Metrowest (BHPMW) discovered that a hacker copied patient data from its digital environment between September 14 and September 18, 2021. BHPMW, which coordinates care with Massachusetts healthcare providers under contracts including MassHealth and five provider agencies, was informed of the data theft in October 2021. The organization immediately secured the impacted environment and engaged an external cybersecurity firm to investigate the incident. Forensic analysis confirmed unauthorized access to BHPMW’s network during the four-day period, resulting in the exfiltration of sensitive patient information. The compromised data included names, contact details, Social Security numbers, dates of birth, client identification numbers, health insurance information, and diagnoses or treatment details. BHPMW reported the breach to the Federal Bureau of Investigation and committed to cooperating with their ongoing investigation. No evidence was provided regarding whether the stolen data was further disseminated or misused following the exfiltration.
The breach affected 11,288 patients who received services through BHPMW’s partnerships with state and local healthcare entities. BHPMW did not disclose specific technical details about the attack vector, network vulnerabilities, or operational disruptions caused by the incident. The organization’s public notification occurred months after the discovery, though the timeline aligned with the completion of the forensic investigation. No ransomware deployment or data encryption was mentioned in connection with this incident, distinguishing it from contemporaneous attacks on other healthcare entities described in the same reporting period. BHPMW did not specify whether it implemented new security measures post-incident beyond cooperating with law enforcement and external investigators. The stolen data combination created significant identity theft and fraud risks for impacted individuals due to the inclusion of financial identifiers and health information.