Cyber Incident Victim: Bergens Promise

On November 15, 2021, Bergen’s Promise, a care management organization based in New Jersey, detected suspicious activity involving an employee email account. The organization’s investigation determined that an unauthorized party had gained access to six employee email accounts during a four-day period from November 15 to November 18, 2021. The breach discovery prompted immediate internal review efforts, though the specific method of initial intrusion was not publicly disclosed. Bergen’s Promise did not confirm whether multi-factor authentication or other safeguards were bypassed during the incident. The compromised email accounts contained sensitive personal information belonging to individuals under the organization’s care management services.

The incident impacted 6,948 individuals initially, though this figure was later revised upward to 7,513 affected persons. Bergen’s Promise completed its forensic investigation and implemented updated security protocols following the breach containment. Notification letters were dispatched to impacted individuals in June 2022, approximately seven months after the initial detection. The organization did not publicly specify whether the delayed notification was attributable to investigative complexity, third-party coordination, or regulatory requirements. No ransomware deployment or data destruction was reported in connection with the email account compromises. The breach contributed to broader healthcare sector cybersecurity concerns alongside contemporaneous incidents affecting Covenant Care California and Eye Care Leaders. Bergen’s Promise did not disclose whether threat actors exfiltrated data or made ransom demands related to the accessed information.