Cyber Incident Victim: South Jersey Behavioral Health Resources
Date:
Apr 2023
Location:
United States of America
Summary
South Jersey Behavioral Health Resources experienced two unrelated security incidents in quick succession. The first was a business email compromise resulting in an unauthorized disclosure of patient billing and service information. Shortly thereafter, a ransomware attack encrypted files on its systems, potentially exposing a wider array of sensitive patient data including personal identifiers, Social Security numbers, and medical history. The organization responded by providing staff training and implementing additional security measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 3, 2023, South Jersey Behavioral Health Resources (SJBHR), an Inperium affiliate providing behavioral health services in Camden, New Jersey, experienced a significant cybersecurity incident. This event was a ransomware attack that resulted in the encryption of files on certain computer systems within the organization. A forensic investigation was conducted to determine the scope and nature of the intrusion. The investigation confirmed that unauthorized actors had successfully gained access to the organization's network infrastructure on that date. The specific vulnerabilities or initial attack vectors exploited to achieve this access were not detailed in the public disclosure.
The ransomware attack was detected following the encryption of files. The investigation into the incident did not find evidence to suggest that the attackers accessed or exfiltrated patient data prior to or during the file encryption process. However, the computer systems that were compromised in the attack were known to contain files with a substantial amount of sensitive protected health information. The types of data present on the affected systems included patient names, contact information, Social Security numbers, driver’s license numbers, and dates of birth. Medical information such as medical record numbers, treating or referring physician names, health insurance details and subscriber numbers, medical history, and diagnosis and treatment information were also stored within the encrypted systems.
This ransomware incident occurred just a few days after a separate and unrelated security breach at the same organization. The prior incident, which was detected and responded to immediately before the ransomware attack, was a business email compromise or phishing attack. In that event, an employee received an email that appeared to originate from a legitimate internal account belonging to a member of the SJBHR fiscal office. The email contained a request for an Accounts Receivable Report. The employee, believing the request to be authentic, responded to the email and attached the requested report. This report contained patient names, dates of service, types of service provided, and billing codes. The organization detected this impermissible disclosure the day after the email was sent. South Jersey Behavioral Health Resources explicitly stated that it did not believe the two incidents, the phishing attack and the ransomware attack, were related to each other.
In direct response to the business email compromise incident, South Jersey Behavioral Health Resources provided additional training to all staff members. This training was aimed at helping employees identify and avoid email scams in the future to prevent a recurrence of a similar phishing event. The organization also undertook a review of its policies and procedures following the more severe ransomware attack. This post-incident review led to the implementation of additional data security measures designed to strengthen its defenses against future cyber threats. The specific nature of these enhanced security measures was not publicly detailed.
The impact of these two incidents differed in scale and data type. The initial phishing incident resulted in the impermissible disclosure of protected health information for 2,193 individuals, as reflected in the breach portal maintained by the U.S. Department of Health and Human Services Office for Civil Rights. The information disclosed in that event was limited to names, dates of service, types of service, and billing codes. The subsequent ransomware attack had a potentially much broader scope due to the vast array of sensitive personal, financial, and medical information contained on the compromised systems. The exact number of individuals affected by the ransomware attack was not confirmed in the immediate aftermath, as it had not yet been posted to the HHS breach portal at the time of reporting. The compromise of data such as Social Security numbers, driver's license numbers, and detailed medical history information presented a significantly heightened risk of identity theft, fraud, and other misuse for any affected patients, despite the lack of evidence confirming data theft.
The chronology of events began with the phishing attack, which was detected and addressed within a single day. Mere days later, on April 5, 2023, the organization experienced the ransomware attack which encrypted its systems. The forensic investigation later established that the attackers had first gained access to the systems two days prior, on April 3. The containment action for the ransomware attack involved neutralizing the threat and preventing further encryption, though the specific method used to block the unauthorized access was not described. The organization's response included both immediate forensic analysis to understand the breach and longer-term strategic changes to its security posture through policy review and technological improvements. The public disclosure of these incidents served to notify potential victims and comply with regulatory obligations, though the full extent of the ransomware attack's impact remained under assessment.