SERV Behavioral Health Systems, Inc.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

SERV Behavioral Health Systems, Inc. Data Breach

SERV Behavioral Health System Inc., a healthcare organization based in Ewing Township, New Jersey, experienced a data breach that was announced on September 9, 2022. The breach may have affected personal information of individuals associated with the organization.

Details of the Breach

  • Date of Suspicious Activity: The suspicious activity related to SERV’s computer network was first discovered on May 27, 2022[1][5].

  • Immediate Action: SERV took immediate steps to secure its systems and initiated an investigation with the help of third-party computer forensic specialists[1].

  • Investigation Completion: The review of the incident was completed on August 4, 2022[1].
  • Uncertainty of Data Access: Although there was no evidence that an unauthorized user viewed or acquired information, SERV could not conclusively rule out that possibility[1].
  • Information Affected: The potentially affected information included names, social security numbers, driver’s license numbers, medical/health information, and contact information[1].
  • Regulatory Notification: SERV notified regulators, including the Department of Health and Human Services[1].
  • Assistance Line: An assistance line was set up for those seeking additional information, available at (833) 420-2860[1].
  • Credit Monitoring Advice: SERV advised patients to review their account statements and credit reports for suspicious activity for the next 12 to 24 months[1].

Ransomware Involvement

  • Hive Ransomware Team: The Hive ransomware team allegedly encrypted SERV’s files on May 26, 2022, and added SERV BHS to their leak site on July 14, 2022, presumably because negotiations had failed[3][7][8].

  • Lack of Proof: SERV’s statement indicated that they could not confirm data had been accessed or acquired, and Hive did not provide any “proof pack” or data leak for this incident[8].

Legal and Compliance Aspects

  • Investigation by Law Firm: Turke & Strauss LLP, a data breach law firm, is investigating the breach at SERV Behavioral Health System[7].

  • HIPAA Compliance: Under HIPAA, affected entities are required to notify affected individuals no later than 60 calendar days from the discovery of a breach. SERV’s notification came more than three months after the discovery of the incident[8].

  • Number of Patients Affected: SERV reported the incident to HHS as impacting 8,110 patients[8].

Steps for Affected Individuals

  • Change Passwords: It is recommended to change passwords and security questions for online accounts.

  • Monitor Accounts: Regularly review account statements for signs of fraud or unauthorized activity.

  • Credit Reports: Monitor credit reports for signs of identity theft.
  • Fraud Alert: Contact a credit bureau to request a temporary fraud alert.

SERV Behavioral Health System has taken steps to improve security to prevent further attacks of this nature[10]. Affected individuals have been notified by mail, and the organization has provided information on how to protect personal information following the breach[7][10].

Citations:

  1. https://njbiz.com/serv-behavioral-health-system-reports-data-breach/
  2. https://casetext.com/case/hall-v-serv-centers-of-new-jersey
  3. https://www.databreaches.net/nj-serv-behavioral-health-system-remains-quiet-about-alleged-ransomware-attack-in-may/
  4. https://servbhs.org/about-serv/faqs
  5. https://www.mass.gov/doc/assigned-data-breach-number-28216-serv-behavioral-health-systems-inc/download
  6. https://www.hipaajournal.com/hipaa-breaches/
  7. https://www.turkestrauss.com/2022/08/11/serv-behavioral-health-system-data-breach-investigation/
  8. https://www.databreaches.net/update-serv-behavioral-health-system-issues-notice-of-breach/
  9. https://apps.web.maine.gov/online/aeviewer/ME/40/f5d3a623-de46-4886-b263-3d6f686ff2bf.shtml
  10. https://www.hipaajournal.com/cyberattacks-reported-by-wolfe-clinic-reiter-affiliated-companies-serv-behavioral-health-system/
  11. https://www.doj.nh.gov/consumer/security-breaches/documents/serv-behavioral-health-systems-20220916.pdf
Breach Submission Date Sep 09, 2022
Converted Entity Name SERV Behavioral Health Systems, Inc.
Converted Entity Type Healthcare Provider
State NJ
Individuals Affected 8,110
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes