Cyber Incident Victim: Region 4 South Mental Health Consortium

On August 6, 2023, the computer network of Region 4 South Mental Health Consortium was impacted by a ransomware incident that affected Grant County. The organization, which provides mental health services for adults in Douglas, Grant, Stevens, Traverse, and Pope counties, discovered the attack and immediately began working with the county and a nationally recognized digital forensics firm to understand the nature of the event, contain the ongoing attack, and determine the full scope of the incident. The external IT providers for Region 4 were able to restore much of the organization's data from existing backups without capitulating to the ransom demands of the cybercriminals, allowing Region 4 to become fully operational again following the disruption. This restoration process was a critical step in mitigating the immediate operational impact of the ransomware, though the full implications for data security were not yet known at that time.

The investigation into the incident revealed a more severe compromise than initially apparent. On August 29, 2023, Region 4 determined that some of its data had been exfiltrated, or taken, from the County’s network. This discovery marked a significant escalation in the severity of the incident, shifting it from a system availability issue to a confirmed data breach. Upon learning that data had been acquired without authorization, Region 4 initiated an extensive and thorough review of the identified data set. The purpose of this meticulous review was to ascertain precisely what types of sensitive information were involved and which individuals may have been affected, a necessary precursor to providing formal notification as required by compliance obligations.

The data involved in the incident was extensive and highly sensitive, reflecting the personal and health information handled by the mental health consortium. The affected information included an individual’s name, coupled with some or all of the following data elements: address, date of birth, and Social Security number. Furthermore, the breach encompassed information regarding services provided to individuals by Region 4 and its predecessor entities. This service-related information included specific details such as locations of service, dates of service, patient identification numbers, or other unique identifiers related to the services provided. Insurance information was also compromised, including insurance identification numbers and insurance or billing information, which could be used for fraudulent purposes.

Critically, the scope of the breached information extended into deeply personal health records. The information involved included details regarding an individual's physical, medical, or mental health conditions, diagnoses, and/or treatments. This also encompassed medication information, laboratory results, and information related to substance use, all of which is considered protected health information under federal regulations. For a small number of individuals, the compromised information included a driver’s license number. It is important to note that the incident did not impact Region 4's electronic medical record system, indicating that the primary clinical records remained secure and separate from the data that was exfiltrated from the county network.

Following the investigation and the determination of the data involved, Region 4 commenced a notification process on October 5, 2023. The organization mailed written notices to individuals whose protected health information and/or personal information may have been acquired without authorization. However, due to insufficient or outdated contact information, Region 4 could not provide written notice to every potentially impacted individual. To ensure these individuals were still reached, the organization posted a detailed notice on its website and established a dedicated toll-free telephone number, (833) 436-4323, operational between 8:30 AM and 4 PM Central Time, Monday through Friday. This line allowed individuals to call and determine whether their information was included in the data impacted by the security incident.

In response to the breach, Region 4 is offering complimentary identity monitoring services to those individuals whose Social Security number and/or driver’s license number was involved in the incident. This offer is a direct mitigation effort aimed at helping those at highest risk of identity theft and financial fraud monitor their credit and personal information for signs of misuse. The organization has urged all potentially impacted individuals to remain vigilant for incidents of fraud and identity theft by regularly reviewing their account statements, obtaining and scrutinizing their free credit reports, and carefully examining their health insurance Explanation of Benefits (EOB) forms for any unauthorized or suspicious activity.

Concurrently, Region 4 has undertaken several internal measures to further enhance its security posture and help prevent similar occurrences in the future. These steps include undertaking an enterprise-wide password reset to invalidate any credentials that may have been compromised during the attack. The organization has also enhanced its system backup procedures to ensure more robust and resilient data recovery capabilities. Furthermore, Region 4 has updated and strengthened its remote access and file access procedures, aiming to limit potential entry points for attackers and tighten controls over sensitive data. These actions represent a concerted effort to fortify their network defenses against evolving cyber threats.

In accordance with its compliance obligations and responsibilities, Region 4 is providing formal notice of this incident to the United States Department of Health and Human Services and all appropriate state regulators. This reporting is a mandatory step under laws such as the Health Insurance Portability and Accountability Act (HIPAA) when a breach of protected health information occurs. The organization has publicly stated that the notice was not delayed as a result of a law enforcement investigation, indicating that the timing of the public disclosure was based solely on the completion of their internal investigation and review process. The administrator of Region 4, Kesha Anderson-Trinka, has emphasized the organization's commitment to investing in internal processes, tools, and resources to secure its network and reduce the likelihood of a future incident, acknowledging the pervasive and evolving nature of cyber threats. The incident underscores the critical challenges faced by healthcare entities in safeguarding sensitive patient data against sophisticated cyber attacks.