Addiction services provider reveals cyberattack
No evidence that client information was misused
WEST ROCKHILL >> A ransomware attack against mental health and anti-addiction services provider Penn Foundation gave the attacker access to personal information of clients, but it does not appear any of that information has been used in an unauthorized manner, Penn Foundation officials said while giving notification June 29.
“We have no indication of any misuse or further dissemination of patient/client information or of any other impact on patients or clients,” Jennifer Smith, Penn Foundation’s communications and grants coordinator, wrote in answer to emailed questions for this article.
A notification letter dated June 29 and signed by Penn Foundation President Wayne Mugrauer outlined the attack and response.
“On February 10, 2021, we discovered that we were unable to access many of our workstations and servers. Upon discovery of this incident, we promptly engaged a specialized cybersecurity firm to conduct a forensic investigation to determine the nature
and scope of the incident. The forensic investigation was completed on May 27, 2021,” the letter said. “The investigation confirmed that we were the victim of a ransomware attack.”
A manual review, which concluded on June 22, was done to determine the patients/clients potentially affected, the letter said.
“The data potentially accessed includes, as applicable, patients’/clients’ first and last name in combination with social security number, financial account number, medical/ health information, health insurance information, and/or demographic information,” the letter, sent to those whose information was impacted, said.
“At this time, we are not aware of your information being used in an unauthorized manner, but out of an abundance of caution, we want to make you aware of this matter and offer resources to help protect your information.”
The information included how to access data protection resources and/ or register for credit monitoring services being offered by Penn Foundation, the letter said.
“Penn Foundation was able to promptly recover access to its systems in February and did not pay any ransom,” Smith wrote in the email.
The letter said changes made to prevent a similar event in the future “include, but are not limited to, changing all passwords, wiping and reformatting computers, and installing network protection programs.”