25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Ransomware Attacks Announced by Maternal & Family Health Services and Retreat Behavioral Health

Posted By on Jan 9, 2023

Maternal & Family Health Services in Eastern Pennsylvania has recently notified certain patients about an April 4, 2022, ransomware attack in which sensitive patient data was exposed. When the attack was detected, systems were secured, and a third-party computer forensics firm was engaged to investigate and determine the nature and scope of the breach. The investigation confirmed that its systems were first accessed by the attackers on August 12, 2021, almost 8 months before ransomware was used to encrypt files. Its systems were secured on April 4, 2022, with the investigation, review of affected files, and the verification of contact information lasting until the end of the year. Notifications were sent to affected individuals on January 3, 2023.

Maternal & Family Health Services said the compromised files included information such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account/payment card information, usernames, passwords, medical information, and health insurance information. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security number or financial account/payment card information was involved. No evidence of misuse of patient data had been identified at the time of issuing notifications. Maternal & Family Health Services said it is strengthening security to prevent similar incidents in the future.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, but the Maine Attorney General notification indicates 461,070 individuals were affected.

Retreat Behavioral Health Ransomware Attack Affects Up to 23,620 Patients

Retreat Behavioral Health, an operator of mental health and substance use treatment centers in Florida, Pennsylvania, and Connecticut, has confirmed that ransomware was used in a cyberattack that was detected and blocked on July 1, 2022.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Retreat Behavioral Health said the forensic investigation concluded on December 9, 2022, and notifications have now been sent to affected patients. The investigation indicates a data set within its network was accessed by the third party behind the attack, with the potentially compromised data including names, addresses, and Social Security numbers. A subset of individuals also had their date of birth and/or treatment information exposed. Retreat Behavioral Health said no evidence of attempted or actual misuse of patient data has been identified but as a precaution, Single Bureau Credit Monitoring Services have been offered to patients at no cost. Retreat Behavioral Health has also implemented additional monitoring tools on its network and will continue to enhance system security.

The breach was recently reported to the Maine Attorney General as affecting 23,620 patients and was reported to the HHS Office for Civil Rights by NR Pennsylvania Associates, LLC, as affecting 14,335 individuals, and NR Connecticut, LLC, as affecting 2,160 individuals.

Employee Benefits Plan Data Exposed in L. Knife & Son Hacking Incident

The alcoholic beverage wholesaler, L. Knife & Son, Inc., has recently announced that an unauthorized third party gained access to its network and copied files containing sensitive data. The security breach was detected on November 1, 2022, with the forensic investigation confirming unauthorized access to files and data theft occurred between October 13, 2022, and October 19, 2022. The review of the affected files was completed on December 8, 2022.

The breach was reported to the Maine Attorney General as involving the data of 14,377 individuals, and the HHS’ Office for Civil Rights as involving the protected health information of 4,082 members of its Employee Benefits Plan. Affected individuals have been offered complimentary 2-year memberships to an identity theft protection service, and additional security measures have been implemented to prevent further breaches in the future.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist