Brunswick Hospital Center Data Breach Exposes Social Security Numbers

On September 3, 2024, Brunswick Hospital Center (BHC), a private psychiatric hospital in Amityville, New York, discovered suspicious activity on its computer network. Following a swift response, BHC determined that an unauthorized actor gained access to certain systems between July 17, 2024, and August 6, 2024. The threat actor, identified as the ThreeAM ransomware group, claimed responsibility for the attack and published the stolen data on their dark web portal on the Tor network.

A thorough investigation with cybersecurity specialists revealed that the attacker viewed or downloaded sensitive data from BHC’s systems. According to the notice filed with the Massachusetts Attorney General, 35 Massachusetts residents were affected, with the total number of impacted individuals likely higher across other states.

The breach exposed a significant amount of personally identifiable information (PII) and protected health information (PHI). Exposed data includes full name, address, date of birth, Social Security number, government-issued identification, financial account information, payment card information, dates of service, patient identification number, treatment information, medication information, procedure codes, procedure costs, procedure and provider information, diagnosis, health insurance information, claim information, and information related to the payment of healthcare service.

The breach was first reported to the U.S. Department of Health and Human Services on November 1, 2024. The severity of this incident is considerable, as both sensitive personal and medical information were compromised. The use of ransomware and the publication of data on the dark web further increase the risk to affected individuals.

Brunswick Hospital Center's response

To support those affected, BHC is offering complimentary credit monitoring and identity restoration services through Experian IdentityWorks for a set period. Impacted individuals must enroll themselves to take advantage of these services; instructions and activation codes are provided in the official notice.

The hospital encourages all potentially affected patients to remain vigilant by monitoring their account statements, explanation of benefits, and credit reports for suspicious activity. Steps such as placing a fraud alert or credit freeze with major credit bureaus are also recommended.

A detailed list of protective actions and contact information for credit bureaus and government agencies is included in the official notice, which is available on Brunswick Hospital Center website's Notice of Data Event.

If you believe you may be affected, you can contact the dedicated assistance line at 855-591-0272, Monday through Friday from 9 am to 9 pm Eastern time, or write to Brunswick Hospital Center at 81 Louden Avenue, Amityville, NY 11701.