PA: Horizon House notifying patients of ransomware attack in March
I do not recall ever seeing Horizon House in Philadelphia listed on any dedicated leak site used by ransomware groups, but according to a press release issued last week, Horizon House experienced a ransomware attack in March 2 and March 5 of this year that encrypted their files and allowed the unknown threat actor to access and exfiltrate some data relating to employees and patients.
Horizon House, which began as a provider of support services for former mental health patients, had expanded their services over the decades to provide programs and services for adults with behavioral health needs, individuals with intellectual and developmental disabilities, and the homeless. According to their web site, they currently serve more than 5,000 adults annually in Pennsylvania and Delaware.
According to their press release:
The following types of information were present in the impacted systems and therefore potentially viewed or acquired by the unknown actor during this incident: name, address, Social Security number, driver’s license and/or state identification card number, date of birth, financial account information, medical claim information, medical record number, patient account number, medical diagnosis, medical treatment information, medical information, health insurance information, and medical claim information. Horizon House is unaware that any of the information was misused or disseminated by the unknown actor and is therefore providing this notice in an abundance of caution.
Horizon House is offering credit monitoring and identity protection services to all impacted individuals and has also established a toll-free number for those with additional questions and concerns: 1-800-718-1749. Individuals can also find additional information on how they can help protect their personal information as well as obtain additional resources on the Horizon House website, https://www.hhinc.org/.
The press release does not indicate the number of employees or patients impacted, and the incident has not shown up on HHS’s public breach tool as of the time of this publication.
Update September 24: This incident was reported to HHS as impacting 27,823 patients.