Cyber Incident Victim: Assurance Health System

Assurance Health System, an Indianapolis-based provider of senior inpatient psychiatric care operating in central Indiana and Ohio, experienced a breach involving unauthorized access to two employee email accounts. Forensic investigations determined one account was compromised between April 8, 2022, and April 21, 2022, while the second account showed unauthorized access spanning from June 10, 2021, to March 8, 2022. The organization completed its review of the affected accounts on September 1, 2022, though the exact date of initial detection remains unspecified in available reports. Notification letters were dispatched to 3,565 affected individuals starting October 28, 2022. The breach impacted patients across three affiliated facilities: Assurance Health, Anew Health, and Brightwell Behavioral Health.

The compromised email accounts contained extensive protected health information including patient names, contact details, Social Security numbers, driver's license numbers, dates of birth, medical record and account numbers, treatment dates and locations, medical histories, diagnosis details, provider names, prescription information, and health insurance data. Individuals whose Social Security numbers or driver's license numbers were exposed received offers for complimentary credit monitoring and identity protection services. Assurance Health System implemented additional technical safeguards and enhanced monitoring of its email environment following the incident. The organization did not specify whether the breach originated from phishing attacks or other vectors, though it confirmed no broader system compromise beyond the two email accounts. Forensic analysis established the precise timelines of unauthorized access but did not identify the threat actor or confirm any actual misuse of the exposed data.