• Home
  • cyber
  • MHR, Inc.: Behavioral Health Resources Pays $1.1 Million to Settle Data Breach Lawsuit
cyber Breach

MHR, Inc.: Behavioral Health Resources Pays $1.1 Million to Settle Data Breach Lawsuit

Nov 20, 2024 2 min read
MHR, Inc.: Behavioral Health Resources Pays $1.1 Million to Settle Data Breach Lawsuit

Behavioral Health Resources Pays $1.1 Million to Settle Data Breach Lawsuit

Behavioral Health Resources, a behavioral and mental health services provider serving patients in Thurston County, Olympia, in Washington state, has agreed to settle a consolidated class action lawsuit stemming from a data incident identified on November 20, 2024. The forensic investigation confirmed unauthorized access to its technology systems, resulting in the exposure and potential theft of the personal and protected health information of 50,083 current and former patients. The affected individuals were notified about the incident in January 2025.

Several class action lawsuits were filed in response to the data breach, the first of which was filed by plaintiff Carol Walker in the Superior Court of Thurston County, Washington. Separate class action complaints were subsequently filed by plaintiffs Rebecca A. Campos, Adam Shotswell, Smukweshun Okena, and Kim Ridgway. The lawsuits were consolidated into a single complaint – Walker et al. v. Behavioral Health Resources.

The plaintiffs allege that Behavioral Health Resources failed to implement reasonable and appropriate cybersecurity measures to protect patients’ protected health information, in violation of federal and state laws. Behavioral Health Resources maintains that there was no wrongdoing, that the class representatives and the class members have not suffered any damages as a result of the data breach, and the defendant denies that the comp

Source: https://www.hipaajournal.com/behavioral-health-resources-data-breach-settlement/

MHR, Inc. cybersecurity rating report: https://www.rankiteo.com/company/mental-health-resources

"id": "MEN1764864093",
"linkid": "mental-health-resources",
"type": "Breach",
"date": "11/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '50083',
                                     'industry': 'Behavioral and Mental Health '
                                                 'Services',
                                     'location': 'Thurston County, Olympia, '
                                                 'Washington, USA',
                                     'name': 'Behavioral Health Resources',
                                     'size': None,
                                     'type': 'Healthcare Provider'}],
              'customer_advisories': 'Patient notifications in January 2025',
              'data_breach': {'data_encryption': None,
                              'data_exfiltration': 'Potential theft',
                              'file_types_exposed': None,
                              'number_of_records_exposed': '50083',
                              'personally_identifiable_information': 'Yes',
                              'sensitivity_of_data': 'High',
                              'type_of_data_compromised': ['Personal '
                                                           'Information',
                                                           'Protected Health '
                                                           'Information']},
              'date_detected': '2024-11-20',
              'date_publicly_disclosed': '2025-01',
              'description': 'Behavioral Health Resources, a behavioral and '
                             'mental health services provider, agreed to '
                             'settle a consolidated class action lawsuit '
                             'stemming from a data incident involving '
                             'unauthorized access to its technology systems, '
                             'resulting in the exposure and potential theft of '
                             'personal and protected health information of '
                             '50,083 patients.',
              'impact': {'brand_reputation_impact': None,
                         'conversion_rate_impact': None,
                         'customer_complaints': None,
                         'data_compromised': 'Personal and protected health '
                                             'information',
                         'downtime': None,
                         'financial_loss': '1100000',
                         'identity_theft_risk': 'High',
                         'legal_liabilities': 'Class action lawsuit settlement',
                         'operational_impact': None,
                         'payment_information_risk': None,
                         'revenue_loss': None,
                         'systems_affected': 'Technology systems'},
              'initial_access_broker': {'backdoors_established': None,
                                        'data_sold_on_dark_web': None,
                                        'entry_point': None,
                                        'high_value_targets': None,
                                        'reconnaissance_period': None},
              'investigation_status': 'Forensic investigation completed',
              'post_incident_analysis': {'corrective_actions': None,
                                         'root_causes': 'Failure to implement '
                                                        'reasonable and '
                                                        'appropriate '
                                                        'cybersecurity '
                                                        'measures'},
              'ransomware': {'data_encryption': None,
                             'data_exfiltration': None,
                             'ransom_demanded': None,
                             'ransom_paid': None,
                             'ransomware_strain': None},
              'references': [{'date_accessed': None,
                              'source': 'Class action lawsuit settlement '
                                        'announcement',
                              'url': None}],
              'regulatory_compliance': {'fines_imposed': None,
                                        'legal_actions': 'Class action lawsuit',
                                        'regulations_violated': ['Federal and '
                                                                 'state laws'],
                                        'regulatory_notifications': None},
              'response': {'adaptive_behavioral_waf': None,
                           'communication_strategy': 'Patient notifications in '
                                                     'January 2025',
                           'containment_measures': None,
                           'enhanced_monitoring': None,
                           'incident_response_plan_activated': None,
                           'law_enforcement_notified': None,
                           'network_segmentation': None,
                           'on_demand_scrubbing_services': None,
                           'recovery_measures': None,
                           'remediation_measures': None,
                           'third_party_assistance': None},
              'title': 'Behavioral Health Resources Data Breach Lawsuit '
                       'Settlement',
              'type': 'Data Breach'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.