Horizon Behavioral Health Data Breach Exposes Social Security Numbers

On March 16, 2025, Horizon Behavioral Health discovered a ransomware attack affecting its computer systems. The investigation, conducted with outside cybersecurity experts, determined that the incident began on or around March 13, 2025, and lasted until March 16, 2025. During this window, unauthorized actors may have accessed and obtained sensitive information from Horizon’s systems. The breach primarily impacted information related to insurance claims, but the types of data exposed varied by individual.

The exposed information included personally identifiable information (PII) such as names, Social Security numbers, addresses, ZIP codes, driver’s license numbers, dates of birth, and similar identifiers. The breach also involved protected health information (PHI), including clinical details like diagnoses, conditions, medications, and other treatment information.

The breach was reported to the Massachusetts Attorney General’s office on April 22, 2025, with 18 Massachusetts residents confirmed as affected.

This incident is considered severe due to both the nature of the attack—a ransomware event perpetrated by criminal actors—and the sensitivity of the information exposed. The combination of PII and PHI increases the risk of identity theft, insurance fraud, and potential misuse of health information.

Horizon Behavioral Health's response

After discovering the ransomware attack, Horizon Behavioral Health took immediate steps to halt the incident and secure its systems. The organization engaged external cybersecurity experts to conduct a thorough investigation and assess the scope of the breach. Horizon also notified state and federal law enforcement agencies, including the FBI Cyber Crimes Division, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Virginia State Police Cyber Fusion Center, to support ongoing investigations.

To assist those affected, Horizon mailed notification letters on April 21, 2025, to individuals whose data was implicated in the breach. These letters included information about the incident and instructions for enrolling in free credit monitoring services. If you are a current or former Horizon patient and did not receive a letter but believe your information may have been affected, you are encouraged to contact Horizon at privacy@horizonbh.org to request credit monitoring.

Given the nature of the breach, it is important for affected individuals to remain vigilant. Horizon recommends the following steps:

• Regularly review account statements and credit reports for any suspicious activity.
• Consider placing a fraud alert or credit freeze with the major credit bureaus.
• Monitor health insurance explanation of benefits statements for unfamiliar services.
• Report any suspected identity theft to law enforcement and the Federal Trade Commission.

Notices were also filed with the Massachusetts Attorney General and the Vermont Attorney General. Horizon Behavioral Health posted a detailed data breach notice on its website.