Cyber Incident Victim: Valley Hope Association

On October 9-10, 2018, unauthorized individuals gained access to an employee email account at Valley Hope Association, a network of addiction treatment centers, through a successful phishing attack. The breach remained undetected until November 23, 2018, when an internal investigation confirmed the unauthorized access period. The compromised email account contained messages and file attachments with sensitive personal information of approximately 70,000 patients across 16 facilities in Kansas, Missouri, Nebraska, Arizona, Oklahoma, Texas, and Colorado. Exposed data included full names, addresses, medication and prescription details, Social Security numbers, financial account information, driver's license or state ID numbers, billing records, dates of birth, health insurance details, medical record numbers, and treating physicians' names. This combination of personal, financial, and medical data created significant identity theft and fraud risks for affected individuals.

Valley Hope began notifying impacted patients on January 18, 2019, through mailed communications and established a dedicated online resource page to address inquiries. The organization reported the incident to the Department of Health and Human Services' Office for Civil Rights, relevant state regulators, and major credit reporting agencies. In response to the breach, Valley Hope implemented additional security safeguards and initiated a review of existing policies and procedures to enhance information protection. Affected individuals received offers for 12 months of complimentary identity monitoring services through Kroll to help detect potential misuse of their personal information. The organization maintained existing security measures while working to strengthen defenses against similar email-based attacks in the future.