HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Updates on Cyberattacks on Goodman Campbell Brain and Spine and Behavioral Health Group

Further information has been released on two cyberattacks on healthcare organizations: Goodman Campbell Brain and Spine and Behavioral Health Group.

Goodman Campbell Brain and Spine Notifies 363,000 Patients About Public Release of PHI on Dark Web

Carmel, IN-based Goodman Campbell Brain and Spine has started notifying 363,000 current and former patients that some of their protected health information was stolen prior to data being encrypted with ransomware and some of the stolen data has been published on the gang’s dark web data leak site.

The cyberattack was discovered by Goodman Campbell on May 20, 2022, and a third-party digital forensics firm was engaged to determine the nature and scope of the breach. The investigation confirmed that the electronic medical record system was not affected, but files containing patients’ protected health information had been exfiltrated from its systems. The stolen files contained information such as names, birthdates, addresses, telephone numbers, email addresses, medical record numbers, patient account numbers, diagnosis and treatment information, physician names, insurance information, dates of service, and Social Security numbers.

The attack caused disruption to its IT and phone systems. In a June 17, 2022, update on the attack, Goodman Campbell said that its phone system had been restored, but its email system remained down. In a July 19, 2022, update, Goodman Campbell said all clinical operations had been resumed and all communication systems had been restored.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

While not confirmed by Goodman Campbell, the attack was conducted by the Hive ransomware operation, which has attacked many healthcare providers in the United States. Goodman Campbell said that the data was available on the dark web site for a period of 10 days. Data breach notification letters from healthcare providers rarely state that data has been made available on the dark web, even though patients should be made aware of the fact to allow them to take appropriate precautions to protect their identities. Goodman Campbell has offered affected individuals a 12-month membership to a credit monitoring and identity theft protection service.

Behavioral Health Group Confirms Patient Data Potentially Compromised in December 2021 Cyberattack

Behavioral Health Group (BHG), the operator of more than 80 outpatient opioid treatment centers in 17 U.S. states, has recently confirmed that it suffered a data security incident in 2021. The cyberattack forced BHG to take its systems offline, which caused disruption to operations for almost a week. BHG explained at the time that patients at some of its clinics were prevented from receiving their prescribed take-home methadone/suboxone doses; however, treatments were provided daily at its clinics. BHG did not disclose the exact nature of the cyberattack and if ransomware was used.

According to the BHG substitute breach notice, third-party cybersecurity experts were engaged to assist with the investigation and it was confirmed that unauthorized individuals removed certain files from its systems on December 5, 2021. The breach notice does not state when access to its network was first gained.

A comprehensive review of files on the parts of the network that were accessed confirmed they contained full names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, payment card information, passport numbers, biometrics, health insurance information, medical diagnosis and treatment information, medications, dates of service, and medical record numbers.

BHG said it has found no evidence to suggest any misuse of the above information but has offered complimentary credit monitoring services to individuals whose Social Security numbers were potentially compromised.

The HHS’ Office for Civil Rights breach portal indicates 197,507 individuals have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.