Call Us

Behavioral Health Resources Data Breach

Posted on behalf of Arnold Law Firm on May 5, 2025 in Data Breach

NOTICE: If you received a NOTICE OF DATA BREACH letter from Behavioral Health Resources, contact the Arnold Law Firm at (916) 777-7777 to discuss your legal options, or submit a confidential Case Evaluation form here.

​​​​​​​​On April 18, 2025, Behavioral Health Resources (“BHR”) reported a significant cybersecurity incident to the Maine Attorney General’s Office. The incident, which occurred on or before November 20, 2024, involved unauthorized access to BHR’s computer systems (the “Data Breach”). Upon detecting suspicious activity, BHR initiated an investigation with the assistance of third-party cybersecurity specialists. The investigation determined that an unauthorized actor gained access to certain systems containing sensitive information. Approximately 50,083 individuals have been impacted. 

Recently, BHR began sending data breach notification letters to individuals affected by the Data Breach. These letters include information about the incident and steps individuals can take to protect their personal information. As of now, BHR has not disclosed any further information about the Data Breach. If you received a data breach notification letter from BHR, it indicates that your information was affected by the Data Breach.

With over 250 employees, Behavioral Health Resources is a non-profit organization headquartered in Olympia, Washington, providing behavioral health and substance use disorder treatment services across Thurston, Grays Harbor, and Mason Counties. BHR offers a range of services, including outpatient therapy, crisis response, and case management, aiming to support individuals and families in achieving mental wellness. 

WHAT INFORMATION IS INVOLVED IN THE BEHAVIORAL HEALTH RESOURCES DATA BREACH?

The types of information compromised vary by individual but may include the following: 

  • Full name (including maiden name),
  • Address,
  • Date of birth,
  • Social Security number,
  • Telephone and/or fax number,
  • Full-face photographic image,
  • Birth and/or marriage certificate,
  • Government-issued ID (taxpayer identification number (TIN), tribal ID, certificate/license number),
  • Electronic/digital signature,
  • Financial institution name,
  • Medical record number,
  • Health plan beneficiary number,
  • Account number,
  • Biometric and/or genetic data,
  • Medical billing information,
  • Medical information (including diagnosis, condition, treatment, lab results, provider name, physician, patient ID, medication information, admission and discharge dates, treatment cost, and date of death),
  • Health insurance information,
  • Other health-related information and incidental health references. 

This information is called your Personally Identifiable Information (“PII”). It tells others about you and is considered part of your identity. Businesses are required to secure this information or risk facing statutory penalties, among other legal penalties. Stolen PII can be used by identity thieves to engage in fraudulent activity using your identity. 

Personal medical information (a specific type of PII) is referred to as Protected Health Information (“PHI”). It is protected under both state and federal law. Healthcare providers and other businesses who handle PHI are required to protect that information. Like stolen PII, stolen PHI can be used by identity thieves to engage in fraudulent activity using your identity. Quite often, PII and PHI are used in conjunction by hackers.

The best way to protect yourself after a data breach is to sign up for credit and identity protection services as soon as possible. 

California offers extra protections and legal rights to its residents through the California Consumer Privacy Act (“CCPA”).

NOTICE: If you received a NOTICE OF DATA BREACH letter from Behavioral Health Resources, contact the Arnold Law Firm at (916) 777-7777 to discuss your legal options, or submit a confidential Case Evaluation form here.