Behavioral Health Resources Data Breach Exposes Info of 50K People

On November 20, 2024, Behavioral Health Resources (BHR), a leading provider of behavioral health and substance use disorder treatment services in Washington state, discovered suspicious activity within its computer systems. After engaging third-party cybersecurity experts, BHR determined that an unauthorized actor had gained access to certain systems, making sensitive information accessible.

The investigation could not confirm whether any data was actually viewed or taken, but a comprehensive review identified the types of information that may have been exposed.

A total of 50,083 individuals across the United States were affected by this breach, with 4 individuals identified in Maine.

The data potentially exposed includes a wide range of personally identifiable information (PII) and protected health information (PHI): full name (including maiden name), address, date of birth, Social Security number, telephone and fax numbers, medical record number, health plan beneficiary number, account number, certificate/license number, biometric and genetic data, full face photographic image, birth and marriage certificates, tribal ID, government-issued ID, taxpayer identification number (TIN), electronic/digital signature, financial institution name, medical billing information, medical information (including diagnosis, condition, treatment, lab results, provider name, physician, patient ID, medication information, admission and discharge dates, treatment cost, and date of death), other health-related details, and health insurance information.

The breach was first reported to the U.S. Department of Health and Human Services on January 17, 2025, and disclosed to the Maine Attorney General’s office on April 18, 2025. Written notifications to affected individuals began on April 17, 2025. Subsequent notices to the Massachusetts Attorney General and the Department of Health and Human Services were made on April 18, 2025.

Behavioral Health Resources's response

BHR is reviewing and updating its information security policies and procedures, and implementing additional safeguards to protect sensitive data. The company has set up a dedicated toll-free assistance line for affected individuals: (855) 549-2726, available Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time (excluding major U.S. holidays).

If you believe you may be affected, it is important to remain vigilant. Review your account statements, credit reports, and explanations of benefits for any unusual activity. Promptly report any suspicious activity to your bank, credit card company, healthcare or insurance provider, or other relevant institution. BHR’s notice provides detailed instructions on how to request free credit reports, place fraud alerts, or freeze your credit with the major credit bureaus. Additional resources and guidance are available from the Federal Trade Commission and state attorneys general.

To learn more, visit the Behavioral Health Resources website.