Opioid treatment network Behavioral Health Group suffered a cyberattack that led to an almost week-long disruption of IT systems and patient care.
Behavioral Health Group (BHG) is one of the largest networks of outpatient opioid treatment centers in the USA, with over 80 clinics throughout seventeen states.
Last week, BHG suffered a cyberattack that forced them to shut down portions of their IT network to prevent the attack’s spread.
This computer outage caused issues at some clinics, preventing patients from receiving their normally prescribed take-home doses of methadone or suboxone, used to treat narcotics addiction.
Patients starting a treatment plan for opioid addiction receive their doses at a clinic. However, patients in a stable treatment plan can receive take-home doses for in-home usage.
While some BHG clinics were able to provide take-home doses, many patients reported on Reddit [1, 2, 3] that their clinics could not provide the usually prescribed medicine due to the computers being down and not able to print prescription labels.
Patients told BleepingComputer that this IT outage and the lack of take-homes caused significant discomfort and stress during the past week, as they were not able to go to the clinic to receive doses each day due to work constraints or other obstacles.
After contacting BHG about the systems outage, Behavioral Health Group confirmed to BleepingComputer that a cyberattack caused the outages.
“Behavioral Health Group is investigating a security incident that impacted our network. Upon learning of the incident, we took certain systems offline out of an abundance of caution and began a thorough investigation with leading information security experts,” Behavioral Health Group told BleepingComputer in a statement.
“Our primary focus remains the uninterrupted access to care for our patients. Our treatment centers are still fully operational and our clinical care teams continue to provide treatment including medication-assisted recovery to all patients.”
“In parallel, our systems technology teams are focused on a safe and efficient remediation process and the restoration of our systems.”https://d6f8cf3e9e947e55bb1ab176a0c3d05c.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html
When asked follow-up questions regarding the type of cyberattack and when it occurred, Behavioral Health Group told us that they could not provide further information due to an ongoing investigation.
If you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at +16469613731, Wire at @lawrenceabrams-bc, or on Jabber at lawrence.abrams@anonym.im.
Likely a ransomware attack
While BHG has not disclosed the nature of the incident, it was likely caused by a ransomware attack.
Some ransomware gangs promise not to attack healthcare institutions, and if they do so by accident, they will provide a recovery key. Other ransomware operations, like Hive or Vice, do not care who they attack, and expect victims to pay regardless of the physical danger their attacks cause.
“If IT department don’t want to do their job we will do ours and we don’t care if it hospital or university.” – Vice ransomware gang.
Furthermore, when threat actors conduct ransomware attacks, they commonly steal unencrypted data and documents before encrypting devices. This stolen data is then used as leverage by threatening to release data if a ransom is not paid.
The release of stolen data can significantly impact a company, leading to a data breach and potential lawsuits.
However, the true cost is to patients whose highly sensitive information may be disclosed publicly.
BHG patients who spoke to BleepingComputer said their biggest concern is that if threat actors stole data, it could reveal their addiction and treatment to family, friends, and employers.
There is no indication that data was stolen during the attack at this time, but if it was, we would likely learn about it in the future as the attackers attempt to extort BHG further.
Source: https://www.bleepingcomputer.com/news/security/cyberattack-on-bhg-opioid-treatment-network-disrupts-patient-care/
