Cyber Incident Victim: Center for Life Management

On February 21, 2022, an unauthorized individual gained access to systems at the Center for Life Management (CLM), a third-party provider of data storage services for the Mental Health Center of Greater Manchester (MHCGM). The intrusion was detected two days later on February 23, 2022, prompting immediate containment measures to secure systems and prevent further unauthorized activity. The breach investigation confirmed the incident was confined exclusively to CLM's infrastructure, with no compromise of MHCGM's internal systems. CLM conducted a forensic review that culminated in an April 11, 2022 determination that attackers potentially accessed and exfiltrated files containing MHCGM patient information. The exposed data included names, addresses, birth dates, Social Security numbers, medical diagnoses, treatment details, discharge records, and healthcare provider information. While investigators found no evidence confirming actual viewing or acquisition of specific records by threat actors, CLM and MHCGM implemented precautionary notifications due to the sensitive nature of the data involved.

MHCGM terminated its data storage arrangement with CLM following the breach and initiated procedures to remove all patient information from CLM's systems. As a protective measure, MHCGM offered affected individuals 12 months of complimentary credit monitoring services despite the absence of confirmed data misuse. The incident impacted 1,322 MHCGM patients according to the official report submitted to the HHS Office for Civil Rights. Operational disruptions were limited to CLM's compromised infrastructure, with no reported interruptions to MHCGM's direct clinical services or internal network functionality. The breach notification emphasized that MHCGM's independent security controls remained intact throughout the incident, as the exposure stemmed solely from vulnerabilities within CLM's third-party storage environment.