Cyber Incident Victim: Columbia River Mental Health Services

Columbia River Mental Health Services (CRMHS) in Washington State experienced a data security breach involving unauthorized access to certain employee email accounts. The breach period spanned from May 14, 2021, to April 8, 2022, though CRMHS did not specify the exact date they initially detected suspicious activity. An investigation confirmed the unauthorized access but could not verify whether threat actors actually viewed or acquired protected health information (PHI) belonging to specific individuals. On July 6, 2022, CRMHS determined PHI was involved in the incident and decided to issue notifications "in an abundance of caution" despite lacking confirmation of data access. The organization reported the breach to the U.S. Department of Health and Human Services (HHS) on August 8, 2022, listing 501 affected individuals—a placeholder figure indicating the final count exceeded 500 but remained undetermined at the time of reporting.

CRMHS had not initiated individual notification letters by August 8, 2022, and provided no details about the types of information exposed within the compromised email accounts. The breach timeline raised questions about detection delays, as the unauthorized activity persisted for nearly 11 months before discovery. Notification timelines also drew scrutiny, as federal regulations typically require reporting to HHS and affected individuals within 60 days of discovery. If CRMHS identified the breach in April 2022, notifications would have been due by June 2022, but the HHS report and public notice occurred in August. The organization’s press release cited an ongoing investigation as the reason for delayed notifications but did not clarify the initial detection method or operational impacts. No additional technical details regarding attacker tactics, containment measures, or system vulnerabilities were disclosed publicly.