Horizon Behavioral Health Falls Victim to Ransomware Attack
Data breaches have been announced by Horizon Behavioral Health, BayMark Health Services, Carlton County Public Health and Human Services, the City of Bristol in Tennessee, and Schewitz Psychological Services (Couples Learn).
Horizon Behavioral Health
Horizon Behavioral Health, a Lynchburg, VA-based provider of mental health, substance use, and intellectual disability services in Central Virginia, has fallen victim to a ransomware attack. The attack was detected on March 16, 2025, when computer systems were disrupted. Immediate action was taken to try to contain the attack and prevent further unauthorized access, and a forensic investigation was launched to determine the extent of the compromise.
Horizon Behavioral Health determined that a ransomware group had access to its network between March 13, 2025, and March 16, 2025, during which time sensitive data may have been viewed or acquired by the ransomware group. The file review confirmed that the affected data included names, Social Security numbers, addresses, ZIP codes, driver’s license numbers, dates of birth, diagnosis/conditions, medications, other treatment information, health insurance information, and claims information.
The data breach was reported to the HHS’ Office for Civil Rights on April 21, 2025, as involving the protected health information of 49,822 current and former patients. Those individuals have been offered complimentary credit monitoring services. Horizon Behavioral Health said it takes data security very seriously and continually reviews and augments its security measures in response to the changing threat landscape and will continue to do so.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
BayMark Health Services
BayMark Health Services, Inc. has recently reported a data breach to the Maine Attorney General that involved unauthorized access to the personal information of 16,548 individuals. On October 11, 2024, BayMark Health Services experienced a cyberattack that disrupted some of its IT systems. Assisted by third-party forensics experts, BayMark Health Services confirmed that an unauthorized third party had access to certain IT systems between September 24, 2024, and October 14, 2024, and accessed files containing employee data.
The types of data compromised in the incident varied from individual to individual and may have included names, Social Security numbers, driver’s license numbers, and medical information. Notification letters were mailed to the affected individuals on May 2, 2025, and 12 months of free credit monitoring and fraud consultation services have been offered to the affected individuals. BayMark Health Services said additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.
Carlton County Public Health and Human Services
Carlton County Public Health and Human Services in Minnesota has recently notified 3,502 individuals about a security incident that saw an unauthorized third party access an employee’s email account. The email account breach was detected on February 6, 2025, and the account was immediately secured. The forensic investigation confirmed that there had been unauthorized access to the account between January 23, 2025, and February 6, 2025, during which time, personal and protected health information was accessed and/or acquired.
The account review was completed on April 10, 2025, when it was confirmed that the information compromised in the incident included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, online account usernames and passwords, medical information such as diagnoses/conditions, treatment information, medications, medical record numbers, locations of services, dates of services, insurance information, and case ID numbers and other unique identifiers. Carlton County Public Health and Human Services notified the affected individuals on April 25, 2025.
Several steps have been taken to improve security, including enhancing its internal policies, procedures, and cybersecurity practices, updating its email retention policy, and communicating with all staff regarding increased awareness of phishing emails. The employee whose account was compromised has also received further training on email cybersecurity practices.
City of Bristol, Tennessee
The City of Bristol in Tennessee, has announced a data breach at one of its third-party vendors. The City of Bristol used Nationwide Recovery Service for collections of unpaid bills related to utilities, municipal court, EMS and ambulance billing, and other general billing. Nationwide Recovery Service experienced a data breach on or around July 11, 2024, when hackers gained access to its network. The City of Bristol was notified about the incident on February 18, 2025, and launched its own investigation and determined that names, dates of birth, Social Security numbers, health insurance policy numbers, and/or protected health information may have been compromised.
City officials said the compromised data was “temporarily held by an unauthorized actor during this incident,” which suggests that Nationwide Recovery Service paid the ransom. While the breach occurred at a business associate, the City of Bristol reported the incident to the HHS’ Office for Civil Rights and is sending notification letters to the 4,708 affected individuals. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.
Schewitz Psychological Services (Couple Learn)
Schewitz Psychological Services Inc., doing business as Couples Learn, has notified the California Attorney General about a recent HIPAA breach involving unauthorized access to its online scheduling platform, Acuity Scheduling. The forensic investigation confirmed that the system was accessed using a hacked user password. Once access was gained, a list of email addresses was uploaded to the platform, which was used to send out a large volume of spam and phishing emails. Couples Learn was unable to rule out the possibility that limited scheduling information may have been viewed or acquired, including name, email address, phone number, home state, appointment type, and partner’s name and email address.
Couples Learn said no clinical or therapy notes were compromised as they are stored securely in its electronic health record system, which is not connected to the scheduling platform. Couples Learn found no evidence of unauthorized access to scheduling data or data downloads. Notification letters were sent to the affected individuals out of an abundance of caution. Employees have been retrained on data security best practices, and internal security policies and procedures have been reviewed. The HHS’ Office for Civil Rights was recently told that up to 3,700 individuals were affected.
