SERV Behavioral Health Systems, Inc.
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
SERV Behavioral Health Systems, Inc. Data Breach
SERV Behavioral Health System Inc., a healthcare organization based in Ewing Township, New Jersey, experienced a data breach that was announced on September 9, 2022. The breach may have affected personal information of individuals associated with the organization.
Details of the Breach
-
Date of Suspicious Activity: The suspicious activity related to SERV’s computer network was first discovered on May 27, 2022[1][5].
-
Immediate Action: SERV took immediate steps to secure its systems and initiated an investigation with the help of third-party computer forensic specialists[1].
- Investigation Completion: The review of the incident was completed on August 4, 2022[1].
- Uncertainty of Data Access: Although there was no evidence that an unauthorized user viewed or acquired information, SERV could not conclusively rule out that possibility[1].
- Information Affected: The potentially affected information included names, social security numbers, driver’s license numbers, medical/health information, and contact information[1].
- Regulatory Notification: SERV notified regulators, including the Department of Health and Human Services[1].
- Assistance Line: An assistance line was set up for those seeking additional information, available at (833) 420-2860[1].
- Credit Monitoring Advice: SERV advised patients to review their account statements and credit reports for suspicious activity for the next 12 to 24 months[1].
Ransomware Involvement
-
Hive Ransomware Team: The Hive ransomware team allegedly encrypted SERV’s files on May 26, 2022, and added SERV BHS to their leak site on July 14, 2022, presumably because negotiations had failed[3][7][8].
-
Lack of Proof: SERV’s statement indicated that they could not confirm data had been accessed or acquired, and Hive did not provide any “proof pack” or data leak for this incident[8].
Legal and Compliance Aspects
-
Investigation by Law Firm: Turke & Strauss LLP, a data breach law firm, is investigating the breach at SERV Behavioral Health System[7].
-
HIPAA Compliance: Under HIPAA, affected entities are required to notify affected individuals no later than 60 calendar days from the discovery of a breach. SERV’s notification came more than three months after the discovery of the incident[8].
- Number of Patients Affected: SERV reported the incident to HHS as impacting 8,110 patients[8].
Steps for Affected Individuals
-
Change Passwords: It is recommended to change passwords and security questions for online accounts.
-
Monitor Accounts: Regularly review account statements for signs of fraud or unauthorized activity.
- Credit Reports: Monitor credit reports for signs of identity theft.
- Fraud Alert: Contact a credit bureau to request a temporary fraud alert.
SERV Behavioral Health System has taken steps to improve security to prevent further attacks of this nature[10]. Affected individuals have been notified by mail, and the organization has provided information on how to protect personal information following the breach[7][10].
Citations:
- https://njbiz.com/serv-behavioral-health-system-reports-data-breach/
- https://casetext.com/case/hall-v-serv-centers-of-new-jersey
- https://www.databreaches.net/nj-serv-behavioral-health-system-remains-quiet-about-alleged-ransomware-attack-in-may/
- https://servbhs.org/about-serv/faqs
- https://www.mass.gov/doc/assigned-data-breach-number-28216-serv-behavioral-health-systems-inc/download
- https://www.hipaajournal.com/hipaa-breaches/
- https://www.turkestrauss.com/2022/08/11/serv-behavioral-health-system-data-breach-investigation/
- https://www.databreaches.net/update-serv-behavioral-health-system-issues-notice-of-breach/
- https://apps.web.maine.gov/online/aeviewer/ME/40/f5d3a623-de46-4886-b263-3d6f686ff2bf.shtml
- https://www.hipaajournal.com/cyberattacks-reported-by-wolfe-clinic-reiter-affiliated-companies-serv-behavioral-health-system/
- https://www.doj.nh.gov/consumer/security-breaches/documents/serv-behavioral-health-systems-20220916.pdf