BayMark Health Services, North America’s largest provider of substance use disorder (SUD) treatment and recovery services, is notifying an undisclosed number of patients that attackers stole their personal and health information in a September 2024 breach.
The Texas-based organization provides medication-assisted treatment (MAT) services targeting both substance use and mental health disorders to more than 75,000 patients daily in over 400 service sites across 35 U.S. states and three Canadian provinces.
In data breach notification letters mailed to affected individuals, BayMark revealed that it learned of the breach on October 11, 2024, following an IT systems disruption. A follow-up investigation revealed that the attackers accessed BayMark’s systems between September 24 and October 14.
“On October 11, 2024, we learned of an incident that disrupted the operations of some of our IT systems. We immediately took steps to secure our systems, launched an investigation with the assistance of third-party forensic experts, and notified law enforcement,” Baymark explains in a statement published on its website.
“Our investigation determined that an unauthorized party accessed some of the files on BayMark’s systems between September 24, 2024 and October 14, 2024. We then initiated a review and analysis of those files.”
Documents exposed during the incident contained various types of data for each affected patient, including their names and:
- Social Security number,
- driver’s license number,
- date of birth,
- services received and dates of service,
- insurance information,
- treating provider and treatment and/or diagnostic information.
Baymark is now offering a year of free Equifax identity monitoring services to patients whose Social Security numbers or driver’s license numbers may have been exposed in the incident.
A Baymark spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more information on the breach, including the total number of affected patients.
While the healthcare service provider did not provide further details about the September attack, the RansomHub ransomware gang claimed the breach in October, saying it stole 1.5TB of files from Baymark’s compromised systems. The data has since been uploaded on the threat actors’ dark web leak site.
The RansomHub ransomware-as-a-service (RaaS) operation (formerly known as Cyclops and Knight) surfaced almost one year ago, in February 2024, and is focused on data-theft-based extortion rather than encrypting victims’ systems.
Since then, it has claimed responsibility for multiple high-profile victims, including the Rite Aid drugstore chain, the Christie’s auction house, U.S. telecom provider Frontier Communications, the Planned Parenthood sexual health nonprofit, Kawasaki’s EU division, the Bologna Football Club, and oil services giant Halliburton.
RansomHub also leaked Change Healthcare’s stolen data after the BlackCat/ALPHV ransomware operation shut down after stealing $22 million in an exit scam.
Since it surfaced, the FBI says RansomHub ransomware affiliates have breached over 200 victims from a wide range of critical U.S. infrastructure sectors, including government, critical infrastructure, and healthcare, until August 2024.
The BayMark Health Services breach notifications come after the U.S. Department of Health and Human Services (HHS) proposed updates to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to secure patients’ health data in response to a surge of massive healthcare security breaches impacting affecting hospitals and Americans in recent years.
In October, UnitedHealth confirmed that it suffered the most significant healthcare breach in recent years after the February Change Healthcare ransomware attack that affected more than 100 million individuals.