Carolina Behavioral Health Alliance, LLC

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Carolina Behavioral Health Alliance, LLC (CBHA) experienced a data breach that was first detected on March 20, 2022. This incident was identified as a sophisticated ransomware attack, where an unauthorized third party accessed and disabled some of CBHA’s computer systems. CBHA is a third-party administrator contracted to manage certain medical benefits for various organizations[1].

Upon discovering the breach, CBHA engaged third-party forensic firms to secure the network environment and investigate the extent of the unauthorized activity. Law enforcement was also notified. The investigation revealed that the unauthorized party may have accessed personal information between January 2022 and March 20, 2022[1].

The potentially accessed information could include first and last names, addresses, dates of birth, dates of service, levels of care, provider names, health plan identification information, and Social Security numbers. While there was no evidence that the personal information had been misused, the possibility of access by an unauthorized party could not be ruled out[1].

CBHA has since taken steps to improve its network security, including wiping and rebuilding affected systems, reviewing and altering its policies and procedures, and enhancing its network security software. The organization has also offered potentially impacted individuals access to free credit monitoring and identity theft protection services[1].

The breach affected over 130,000 health plan members, and CBHA began notifying individuals whose information may have been impacted on July 1, 2022. The exposed information includes names, Social Security numbers, addresses, dates of birth, dates of service, levels of care, provider names, and health plan identification numbers[3][7][9].

For those affected by the breach, CBHA recommended remaining vigilant by reviewing financial account statements, monitoring free credit reports, and reporting any suspicious activity to the relevant financial institution or law enforcement. They also advised enrolling in the free credit monitoring and identity theft protection services offered[1].

The breach was one of the largest healthcare data breaches reported in North Carolina in 2022, affecting 130,922 individuals[8]. CBHA is a third-party administrator that manages medical benefits for various organizations in North Carolina and parts of South Carolina, specializing in self-insured employer health plans, enhanced care management, and disease management[7].

Citations:

  1. https://cbhallc.com/notice/
  2. https://hickoryrecord.com/news/state-regional/business/novant-eliminating-160-jobs-in-largest-workforce-reduction-in-8-years/article_2ec91a3f-30b9-5cbe-a77e-08e6ed553693.html
  3. https://www.hipaajournal.com/carolina-behavioral-health-alliance-reports-breach-of-the-phi-of-130000-health-plan-members/
  4. https://www.hipaajournal.com/july-2022-healthcare-data-breach-report/
  5. https://www.mass.gov/doc/assigned-data-breach-number-26841-carolina-behavioral-health-alliance-llc/download
  6. https://www.jdsupra.com/legalnews/alliance-physical-therapy-group-llc-4462513/
  7. https://www.turkestrauss.com/2022/07/06/carolina-behavioral-health-alliance-data-breach-investigation/
  8. https://www.wnct.com/on-your-side/crime-tracker/the-biggest-health-care-data-breaches-you-should-know-about-in-north-carolina/
  9. https://www.thelyonfirm.com/blog/carolina-behavioral-health-alliance-data-breach/
  10. https://thehipaaetool.com/behavioral-health-patient-data-stolen/
  11. https://consumer.sc.gov/identity-theft-unit/security-breach-notices
Breach Submission Date Jul 01, 2022
Converted Entity Name Carolina Behavioral Health Alliance, LLC
Converted Entity Type Business Associate
State NC
Individuals Affected 130,922
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes