Colonial Behavioral Health (CBH), a Virginia-based healthcare services provider, announced a data breach on November 27, 2024, following a ransomware attack. The breach exposed the protected health information (PHI) of 29,930 individuals.
On October 24, 2024, CBH identified unusual activity in its IT network, which was later confirmed to be a ransomware attack. Investigations revealed that an unauthorized party had accessed the network as early as May 17, 2024. Compromised data included names, addresses, Social Security numbers, driver’s license numbers, dates of birth, medical information, and insurance details.
CBH immediately enlisted cybersecurity experts to secure its systems and investigate the breach. On November 27, 2024, notification letters were sent to affected individuals detailing the specific information involved.
The CBH public notice states that the organization “notified state and federal law enforcement, including the FBI’s Cyber Crimes Division, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Cyber Fusion Center of the Virginia State Police. CBH is supporting all law enforcement investigations into this matter.”
Furthermore, the organization urges former or current CBH patients who want to receive credit monitoring and did their notice to please email privacy@colonialbh.org.
Healthcare organizations, like CBH, are more susceptible to ransomware attacks as medical and personal information fetches high prices on the black market. Cybercriminals exploit system vulnerabilities to access sensitive data, often resulting in significant financial gains for the attackers and devastating consequences for organizations and individuals.
Go deeper: Why healthcare is a major target for cyberattacks
Healthcare organizations must use advanced threat detection, employee training, and regular system audits to improve their cybersecurity measures.
Those affected should monitor their financial and medical accounts closely and consider legal advice to understand their rights and potential recourse.
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.