The Connecticut-based healthcare group recently announced that they had been the victim of a data breach. While Atlas previously thought they were the victim of several smaller breaches, new information has revealed a much larger issue.
What happened
On March 3rd, 2025, Atlas Healthcare CT filed a data breach notice with the Department of Health and Human Services. Atlas operates multiple healthcare facilities throughout Connecticut, New Jersey, Maryland, and Massachusetts, including Vernon Rehabilitation and Healthcare Center, Manchester Rehabilitation and Healthcare Center, and others.
Several of the smaller organizations, such as Manchester Rehabilitation and Healthcare Center provided data breach notices, but it’s become clearer that more organizations were part of the attack.
According to breach notices, impacted information may have included names, addresses, dates of birth, Social Security numbers, medical information, health insurance information, driver’s license numbers, and financial information.
The situation continues to evolve and it is currently unclear how many individuals may have been impacted overall.
Going deeper
According to Atlas, an unauthorized actor accessed the network on January 20th, 2023, over two years ago. Atlas immediately began an investigation which concluded on August 16th, 2023. Despite the investigation's conclusion, Atlas did not begin notifying patients until early March of this year. Some individuals may have received an earlier notice if their facility contacted them directly.
While the data breaches were initially believed to be separate instances, it is now clear that these breaches were the result of a singular network breach. Atlas has not provided any additional information on the incident.
The big picture
The incident at Atlas highlights how frequently organizations are interconnected with one another. Since Atlas controlled the network, a vulnerability in their software spilled over to impact multiple organizations. Parent organizations must never be complacent in their cybersecurity standards and should always be actively monitoring their networks.
The data breach also showcases that, even when we think we have all of the information, these are often evolving situations and as investigations continue more information can always come to light.
FAQs
Why does it take so long to receive data breach notices?
The investigation process for data breaches can be meticulous and time-consuming for organizations. On top of this, it’s also common for organizations to not immediately notice a data breach, especially if they are not regularly monitoring or auditing their network. Additional time may be needed to determine what data was stolen and to find contact information for victims. Nevertheless, it’s important for organizations to notify individuals promptly; if not, practices may find themselves facing legal action.
Who is responsible for sending data breach notices?
Organizations that are responsible for collecting, storing, or processing protected health information (PHI) must supply breach notifications. In some instances, individual facilities may decide to send notices, while in other situations, the parent organization may take on the responsibility.
Abby Grifno
