Cyber Incident Victim: SERV Behavioral Health System

On May 26, 2022, SERV Behavioral Health System, a New Jersey-based provider of social, educational, residential, and vocational services for individuals with mental illness or developmental disabilities, allegedly experienced a ransomware attack. The Hive ransomware group claimed responsibility for encrypting the organization’s files. Despite the encryption event, SERV did not publicly acknowledge the incident or respond to multiple inquiries from DataBreaches.net sent on July 14 and August 3. On July 14, Hive listed SERV Behavioral Health System on its data leak site, suggesting the organization did not meet ransom demands. The ransomware group did not provide a "proof pack" to validate its claims or disclose the volume or nature of exfiltrated data, leaving the scope of potentially compromised information unverified.

SERV’s lack of public response extended to regulatory and client notifications, with no entry found in the U.S. Department of Health and Human Services’ breach reporting tool as of August 6, 2022. While SERV’s HIPAA compliance status remained unclear, job listings indicated employees underwent HIPAA training, implying potential handling of protected health information. An external security researcher suggested a possible attack vector involving an unpatched on-premises Microsoft Outlook Web Access (OWA) server (exchange.servbhs.org), which was accessible in May 2022 before its services migrated to Microsoft Office 365. This migration coincided with the alleged attack timeline but was not confirmed by SERV. The absence of official statements left the incident’s operational, legal, and client impacts undocumented, including whether data exposure occurred or remediation steps were taken.