Updates About the Cyberattacks on Behavioral Health Group and Goodman Campbell Brain and Spine

Additional information was recently published regarding two cyberattacks on healthcare companies: Behavioral Health Group and Goodman Campbell Brain and Spine.

Behavioral Health Group Reports Potential Compromise of Patient Data in December 2021 Cyberattack

Behavioral Health Group (BHG), manager of over 80 outpatient opioid treatment facilities in 17 U.S. states, has lately reported that it encountered a data security event in 2021. The cyberattack compelled BHG to take down its systems, which prompted an interruption to operations for about one week. BHG revealed at that time that patients in a number of its clinics could not receive the take-home methadone/suboxone doses prescribed by their doctors; nonetheless, treatments were given every day at its clinics. BHG didn’t say the precise nature of the cyberattack and whether or not ransomware was involved.

Based on the substitute breach notice by BHG, third-party cybersecurity professionals helped with the investigation and affirmed that unauthorized persons extracted selected files from its network on December 5, 2021. There was no mention in the breach notice about the time access to its system was initially acquired.

A thorough analysis of files on the areas of the network that had been accessed revealed that they consisted of complete names, driver’s license numbers, Social Security numbers, state ID numbers, financial account details, payment card data, biometrics, passport numbers, medical insurance details, medical diagnosis and treatment data, prescription drugs, medical record numbers, and dates of service.

BHG mentioned it did not find any evidence that suggests any misuse of the previously mentioned data, however, has provided free credit monitoring services to persons who had their Social Security numbers possibly compromised.

The HHS’ Office for Civil Rights breach website reveals 197,507 persons were impacted.

Goodman Campbell Brain and Spine Informs 363,000 Individuals About the PHI Published on Dark Web

Goodman Campbell Brain and Spine based in Carmel, IN has begun informing 363,000 present and former patients about the theft of some of their protected health information (PHI) before being encrypted by ransomware. Selected stolen information was posted on the group’s dark web data leak website.

Goodman Campbell discovered the cyberattack on May 20, 2022, and had a third-party digital forensics company help to find out the nature and extent of the breach. Based on the investigation, the breach did not affect the electronic medical record system, however, files that contain patients’ PHI had been extracted from its network. The stolen records included data like names, addresses, phone numbers, birthdates, email addresses, health record numbers, diagnosis and treatment data, patient account numbers, dates of service, doctor names, insurance details, and Social Security numbers.

The attack caused dysfunction in its IT and telephone systems. On June 17, 2022, Goodman Campbell stated in its update that its telephone system had been recovered, however, its email system stayed dysfunctional. On July 19, 2022, Goodman Campbell stated all clinical operations were started again and all communication systems were repaired.

Although Goodman Campbell did not confirm it, the Hive ransomware operation conducted the attack. Goodman Campbell stated that the information was accessible on the dark webpage for 10 days. There was no mention in the data breach notification letters that data was posted on the dark web, although patients must know the truth to enable them to take proper safety measures to secure their identities. Goodman Campbell has provided the impacted people membership to a credit monitoring and identity theft protection service for 12 months


About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA