Cyber Incident Victim: Health Recovery Services
Date:
Nov 2018
Location:
United States of America
Summary
Health Recovery Services experienced unauthorized network access potentially compromising sensitive patient data, prompting notification to over 20,000 individuals. The breach exposed names, addresses, dates of birth, and for patients admitted after 2014, additional details including diagnoses, insurance information, and treatment records. While investigators found no conclusive evidence that electronic protected health information was accessed, they could not definitively exclude the possibility. The incident particularly impacted individuals receiving mental health and addiction treatment services, heightening concerns due to the sensitive nature of the exposed clinical and personal information. The organization discovered the intrusion after several months of unauthorized access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Health Recovery Services (HRS), an Athens, Ohio-based organization specializing in mental health and addiction treatment services, discovered unauthorized network access impacting patient data. On February 5, 2019, HRS identified an intrusion involving an unauthorized IP address that had gained access to their systems. Forensic investigations determined the breach timeline extended from November 2018 until its discovery in February 2019, representing approximately three months of potential exposure. While investigators found no conclusive evidence that electronic protected health information (ePHI) was actually viewed or exfiltrated during this period, they could not definitively rule out access to patient records. This uncertainty prompted HRS to initiate notifications to affected individuals by April 5, 2019, nearly two months after discovering the breach. The organization's investigation focused on determining both the duration of unauthorized access and the specific types of data potentially compromised through the network intrusion.
The incident impacted 20,485 patients whose personal and health information was potentially exposed. Compromised data elements included names, addresses, and dates of birth for all affected individuals. For patients who became clients after 2014, the exposure extended to more sensitive health information including diagnoses, insurance details, and treatment records. The nature of HRS's services—focusing on mental illness and substance addiction treatment—made the exposed diagnostic and therapeutic information particularly sensitive. HRS issued formal notifications to all impacted individuals describing the breach parameters and the categories of information involved. The organization did not publicly disclose specific technical details about the intrusion method, network vulnerabilities exploited, or containment measures implemented beyond confirming the unauthorized IP access timeframe from November 2018 through February 2019. No evidence suggested misuse of patient data occurred following the breach discovery.