Region 4 South Mental Health Consortium
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
On August 6, 2023, the Region 4 South Mental Health Consortium in Minnesota experienced a ransomware attack that impacted its computer network, particularly affecting Grant County. The consortium provides mental health services to adults in Douglas, Grant, Stevens, Traverse, and Pope counties. Following the cyber attack, Region 4 began working with the county and a digital forensics firm to understand the incident, contain the attack, and determine its scope[1].
The investigation revealed that some data was taken from Grant County’s network. The compromised data included individuals’ names, addresses, dates of birth, Social Security numbers, information regarding services provided, patient identification numbers, insurance identification numbers, billing information, and details about physical, medical, or mental health conditions, diagnoses, treatments, medications, laboratory results, and substance use information. For a small number of individuals, driver’s license numbers were also included. However, the electronic medical record system was not affected by the incident[1].
Region 4 South Mental Health Consortium has taken steps to notify individuals who may have been affected by the breach and is offering credit monitoring services at no cost to those whose Social Security numbers or driver’s licenses were involved. They have also advised individuals to remain vigilant for fraud and identity theft by monitoring their account statements and Explanation of Benefits forms. The consortium has reported the incident to the U.S. Department of Health and Human Services and appropriate state regulators[1].
The consortium has restored much of its data from backups without paying the ransom and is fully operational. They have also committed to investing in internal processes, tools, and resources to secure their network and reduce the likelihood of future incidents[1].
Grant County refused to pay the ransom demanded by the cybercriminals and was able to restore much of its data from existing backups. The county is continuing to evaluate the data impacted by the incident to determine if there is a legal obligation to provide a notice of a data breach, in compliance with Minnesota and federal laws[5].
For those individuals for whom Region 4 did not have sufficient contact information, the consortium has posted a ransomware notice on its website and provided a toll-free telephone number for inquiries[7].
Citations:
- https://www.echopress.com/news/mental-health-consortium-which-includes-douglas-county-investigates-cyber-attack
- https://www.co.stevens.mn.us/AgendaCenter/ViewFile/Item/86?fileID=1400
- https://www.r4sconversations.org
- https://www.revisor.mn.gov/laws/2023/0/Session+Law/Chapter/70/
- https://grantcountyherald.com/news/mental-health-consortium-data-may-have-been-compromised-in-ransomware-attack/
- https://store.samhsa.gov/sites/default/files/pep20-08-01-001.pdf
- https://stevenscountytimes.com/ransomware-hackers-gained-access-through-grant-county-computers/
- https://www.senate.mn/chamber/amendment/sh2725a-3.html
- http://www.r4sconversations.org/rfp/ARMHSapplication-Part3.pdf
- https://www.revisor.mn.gov/statutes/cite/245G/pdf
- https://www.coursesidekick.com/information-systems/874088
- https://www.osa.state.mn.us/media/pgrfc5ee/traversecountyfsml_13_report.pdf
- https://konbriefing.com/en-topics/cyber-attacks-usa.html
- https://www.samhsa.gov/sites/default/files/ready-to-respond-compendium.pdf
- https://www.co.nobles.mn.us/departments/community-services/adult-services/southwestern-minnesota-adult-mental-health-consortium/
- https://bja.ojp.gov/sites/g/files/xyckuh186/files/Publications/CSG_Behavioral_Framework.pdf