Greater Cincinnati Behavioral Health Services Reports 62,000-Record Data Breach
Greater Cincinnati Behavioral Health Services (GCBHS) fell victim to a cyberattack on December 10, 2023, that caused network disruption and prevented access to some of its IT systems. Immediate action was taken to contain the incident and third-party cybersecurity experts were engaged to investigate and assist with the breach response.
GCBHS said the forensic investigation is ongoing but evidence has been found that indicates an unauthorized third party accessed files containing patient information. The files are still being reviewed and notifications will be issued when that process has been completed. GCBHS said the compromised data includes names, demographic information, dates of birth, Social Security numbers, driver’s license numbers, medical information, and healthcare information. GCBHS said it has implemented additional security tools and will be offering the affected individuals complimentary credit monitoring and identity theft protection services. The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 50,000 patients.
UPDATE: September 13, 2024
GCBHS has recently notified the Maine Attorney General about the breach, which was reported as affecting 62,036 individuals, including 3 Maine residents. The OCR breach portal still shows the incident (reported on February 2, 2024) as involving the protected health information of 50,000 individuals. GCBHS said it completed its file review on May 8, 2024, and mailed its first wave of 60,080 notifications on June 12, 2024. A second wave of notifications was mailed on September 10, 2024, to 1,557 individuals. Notifications could not be mailed to 399 individuals as there was no address information.
Individuals affected had one or more of the following exposed along with their name: date of birth, driver’s license/state ID, Social Security number, license plate/VIN vehicle ID, health insurance policy plan/policy number, and other personally identifiable health information (such as Medicare/Medicaid number, cost of treatment/insurance, healthcare provider name, treatment location, patient ID number, diagnosis/treatment/procedure, prescription drugs taken/written, medical history/allergies, medical records number, date of admission/treatment, and/or test results/images/vital signs). Complimentary credit monitoring services have been offered. The DragonForce ransomware group claimed responsibility for the attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
UPDATE: October 23, 2025
A settlement has been agreed to resolve class action litigation stemming from the data breach. Further information is available in this post.
Bay Area Heart Center Affected by Cyberattack on Business Associate
Bay Area Heart Center in Florida has been affected by a cyberattack and data breach at its business associate, Bowden Barlow Law, which provides debt recovery services. The law firm conducted a forensic investigation which confirmed that the protected health information of 11,709 Bay Area Heart Center patients was compromised in the attack. The impacted data was limited to names, addresses, full and partial Social Security Numbers, dates of service, limited claims data, and insurance policy numbers. Bowden Barlow Law has made cybersecurity improvements and is offering the affected individuals complimentary credit monitoring services for 12 months.
