On January 17, Behavioral Health Resources (BHR) informed the U.S. Department of Health and Human Services (HHS) about a reportable breach. At that point, they had not yet determined the number of affected individuals, using “501” as a placeholder. Additionally, BHR published a preliminary notice on their website to inform the public about the breach. The company disclosed that they had detected suspicious activity in their network around November 20, 2024.
By mid-January, BHR’s investigation had not confirmed whether any data was accessed or exfiltrated.
However, the organization acknowledged that any compromised information could include sensitive personal and medical details. This could have involved full names, birth dates, Social Security numbers, medical records, and a range of other health-related data. The information potentially affected also included biometric data, government-issued IDs, and financial institution details.
On April 17, BHR updated the Maine Attorney General’s Office with new information.
While the investigation still couldn’t confirm whether any data had been viewed or accessed, BHR reported that 50,083 individuals would be notified. This was a significant increase in the number of affected individuals compared to the initial report. The organization continued its efforts to clarify the scope of the breach as its investigation progressed.
Despite the ongoing investigation, there has been no confirmation of a ransomware gang or extortion group claiming responsibility for the breach. As of today, the public breach tool on the HHS website still lists the “501” placeholder, leaving the total number of affected individuals unclear. It is unknown whether BHR has updated its HHS report to reflect the 50,083 individuals being notified.
Reference: