Hackers stole sensitive mental health records from nearly 46,000 patients at a U.S. clinic, but victims weren’t told for a full year.
Hackers infiltrated the Community Counseling of Bristol County (CCBC), a Massachusetts-based behavioral health center, in May 2024. The breach, which went undetected for two days, resulted in the theft of sensitive information belonging to nearly 46,000 individuals. The clinic disclosed the incident a full year later, leaving patients unaware and unprotected in the interim.
According to a breach notification filed with the Maine Attorney General’s Office, attackers accessed files containing protected health information (PHI) and personally identifiable information (PII). The compromised data included details related to patients receiving mental health and substance use disorder treatment, some of the most sensitive information in healthcare.
The delayed disclosure raises serious concerns, as the stolen information could have been misused long before patients were notified. Potential risks include identity theft, insurance fraud, and phishing schemes tailored to vulnerable individuals.
In response, CBCC is offering free credit monitoring and identity protection services to those affected. The clinic has also urged patients to closely monitor their financial accounts and credit reports for any suspicious activity.
CCBC acknowledged the breach in a formal notification and committed to offering impacted individuals tools for credit and identity monitoring. While the clinic did not elaborate on why the breach went undisclosed for a year, it says steps have been taken to secure its systems going forward.
The breach draws attention to the ongoing need for timely and transparent disclosures in healthcare cybersecurity. Mental health records are especially sensitive, and unauthorized access can have serious personal consequences for those affected. Organizations that manage this type of information carry an added obligation to both protect their systems and notify individuals promptly when incidents occur. The CCBC case illustrates how delays in communication can increase the impact, particularly when vulnerable populations are involved.
HIPAA generally requires notification within 60 days of discovering a breach, not a full year.
Yes. The Office for Civil Rights (OCR) can issue fines for untimely or incomplete breach reporting.
It can be used to exploit individuals emotionally or socially, making it valuable for extortion and fraud.
Credit monitoring helps detect financial misuse, but it doesn’t prevent phishing, impersonation, or emotional harm.
Implement real-time threat detection, conduct regular audits, and establish a clear incident response protocol.