Colonial Behavioral Health Data Breach Exposes SSNs

Colonial Behavioral Health (CBH), a community services board serving residents of James City County, Poquoson, Williamsburg, and York County, recently disclosed a significant data breach following a ransomware attack.

The breach, which impacted sensitive consumer information, was first detected on October 4, 2024. However, further investigation revealed that the unauthorized access began as early as May 17, 2024, and continued undetected for several months.

During this time, an unauthorized actor accessed and potentially exfiltrated data before encrypting CBH's IT systems with ransomware. The breach affected patient files and other records stored on CBH's systems. The types of information exposed include:

• Social Security numbers
• Medical records (e.g., diagnoses, lab results, medications, and treatment details)
• Driver's license numbers
• Addresses and ZIP codes
• Dates of birth
• Financial account information
• Insurance and claims data

The breach has been reported to state and federal authorities, including the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Virginia State Police Cyber Fusion Center. In Massachusetts alone, nine individuals were confirmed to have been affected. You can view the official disclosure on the Massachusetts Attorney General's website.

The severity of this breach is underscored by the type of information involved, which includes sensitive personal and medical data. Such information, if misused, could lead to identity theft, financial fraud, and unauthorized access to medical records.

Colonial Behavioral Health's response

In response to the breach, Colonial Behavioral Health took immediate action to contain the ransomware attack and secure its systems. The organization engaged external cybersecurity experts to investigate the incident and assist with recovery efforts. Despite the disruptions caused by the attack, CBH was able to continue providing care to patients.

CBH has also notified affected individuals and offered them complimentary access to Experian IdentityWorks for 24 months. This service includes:

• Credit monitoring
• Identity restoration assistance
• Identity theft insurance with coverage up to $1 million
• Daily Experian credit reports for online members

Additionally, CBH has implemented measures to strengthen its network security and prevent future incidents. The organization is actively cooperating with law enforcement agencies to investigate the breach.

Steps to take if you are affected by the data breach

If you have been notified that your information was involved in this breach, it is essential to take proactive steps to protect yourself:

1. Enroll in Experian IdentityWorks: CBH is providing affected individuals with free access to Experian's identity protection services. Be sure to enroll by March 31, 2025, using the activation code provided in your notification letter.
2. Monitor your credit reports and accounts: Regularly review your credit reports for any unauthorized activity. You can obtain a free credit report annually from AnnualCreditReport.com.
3. Place a fraud alert or credit freeze: Consider placing a fraud alert or a credit freeze on your credit file to prevent new accounts from being opened in your name without your permission. Contact the three major credit bureaus—Equifax, Experian, and TransUnion—to initiate these measures.
4. Review medical and insurance records: Check your medical and insurance records for any unauthorized claims or services. If you notice discrepancies, contact your healthcare provider or insurer immediately.
5. Be vigilant for phishing attempts: Cybercriminals may use stolen information to craft convincing phishing emails or phone calls. Avoid clicking on suspicious links or providing personal information to unknown parties.
6. Report suspicious activity: If you suspect identity theft or fraud, report it to your local law enforcement, the Federal Trade Commission at IdentityTheft.gov, and your financial institutions.

By taking these steps, you can mitigate the risk of identity theft and protect your personal information.