Hacker attack on mental health org exposes patient diagnoses

Threat actors have breached the Georgia-based Mental Health Association (MHA), taking some patients’ sensitive details, including diagnoses and prescribed medication.

Few details are as sensitive as individuals’ mental health conditions. However, unidentified attackers recently breached MHA, obtaining numerous sensitive details. According to MHA’s breach notification letter, the organization discovered unauthorized parties roaming its networks in early December 2024.

“Upon discovery of this incident, MHA promptly worked with their Managed Service Provider (MSP) to secure its systems and engaged a specialized third-party cybersecurity firm to conduct a forensic investigation of its network environment to determine the nature and scope of the Incident,” the data breach note reads.

Get our latest stories today on Google News

Follow us

According to the details MHA submitted to the Massachusetts Office of Consumer Affairs and Business Regulation, over 12,600 individuals were exposed to the attack.

The mental health organizations stressed that so far, it has no indication that any of its patients were misused. However, an investigation into the attack revealed that malicious actors may have gotten their hands on numerous sensitive patient data points such as:

• Names
• Addresses
• Social Security numbers (SSNs)
• Financial account information
• Dates of birth
• Driver’s license numbers
• Medical diagnoses and conditions
• Medications
• Medical record numbers

Attackers could exploit the stolen details for financial fraud and identity theft. Stolen SSNs and financial information could also enable attackers to attempt credit fraud. Additionally, attackers could resort to blackmail, threatening to leak data on patients’ mental health conditions.

Individual healthcare data can be sold on dark web forums. For example, malicious actors can use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to health insurers.

In an attempt to mitigate the risks, MHA said it will provide impacted individuals with 24 months of complimentary credit monitoring and identity theft restoration services.