Highland Rivers Behavioral Health Data Breach Affects 2,253 Patients

On April 15, 2025, Highland Rivers Behavioral Health, a healthcare provider based in Georgia, reported a significant data breach to the U.S. Department of Health and Human Services' Office for Civil Rights. The hacking incident compromised the organization's network server and potentially exposed the sensitive protected health information of 2,253 individuals.

What Happened

Highland Rivers Behavioral Health discovered that unauthorized individuals had gained access to their computer systems through a hacking/IT incident. The breach specifically targeted the organization's network server, which contained sensitive patient information.

The healthcare provider filed their official breach notification with the HHS Office for Civil Rights on April 15, 2025, meeting the required 60-day reporting deadline under HIPAA regulations. Under the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), covered entities must report breaches affecting 500 or more individuals to HHS within 60 days of discovery.

While the specific technical details of how the hackers gained access remain unclear, the incident represents another example of the growing cybersecurity threats facing behavioral health providers across the United States.

Who Is Affected

The data breach has impacted 2,253 individuals who received services from Highland Rivers Behavioral Health. As a behavioral health provider in Georgia, Highland Rivers serves patients seeking mental health and substance abuse treatment services.

Patients whose information may have been compromised include those who:

• Received behavioral health services from Highland Rivers
• Had their protected health information stored on the affected network server
• Were patients during the timeframe when the breach occurred

The organization is required under HIPAA's Breach Notification Rule to provide individual notice to all affected patients within 60 days of discovering the breach.

Breach Details

Entity: Highland Rivers Behavioral Health
Location: Georgia
Entity Type: Healthcare Provider
Individuals Affected: 2,253
Breach Type: Hacking/IT Incident
Location of Breach: Network Server
Date Reported to HHS: April 15, 2025
Business Associate Involved: No

The breach notification indicates that no business associate was involved in this incident, meaning the security failure occurred within Highland Rivers' own IT infrastructure rather than through a third-party vendor.

Currently, Highland Rivers has not disclosed additional specific details about:

• The exact date the breach was discovered
• What types of patient information were accessed
• Whether any data was actually stolen or just accessed
• The specific method hackers used to gain entry
• What security measures have been implemented in response

What This Means for Patients

For the 2,253 affected individuals, this breach represents a serious privacy violation that could have lasting consequences. Protected Health Information (PHI) stored on healthcare networks typically includes:

• Personal identifiers: Names, addresses, phone numbers, email addresses
• Medical information: Diagnoses, treatment records, medication lists
• Financial data: Insurance information, billing records, payment details
• Demographic information: Birth dates, Social Security numbers
• Behavioral health records: Mental health diagnoses, therapy notes, substance abuse treatment records

Behavioral health information is particularly sensitive, as it can impact patients' employment opportunities, insurance coverage, and personal relationships if disclosed inappropriately.

Under HIPAA Section 164.408, Highland Rivers must provide affected patients with:

• Description of what happened and when it was discovered
• Types of information involved in the breach
• Steps individuals should take to protect themselves
• What the organization is doing in response
• Contact information for questions

How to Protect Yourself

If you are a Highland Rivers Behavioral Health patient, take these immediate steps:

Monitor Your Accounts

• Review medical statements and insurance Explanation of Benefits (EOB) for unauthorized services
• Check credit reports from all three bureaus (Experian, Equifax, TransUnion) for suspicious activity
• Monitor bank and credit card statements for unauthorized charges
• Watch for unexpected medical bills that might indicate medical identity theft

Stay Alert for Fraud

• Be suspicious of phishing emails or calls requesting personal information
• Don't provide personal details to unsolicited contacts claiming to be from Highland Rivers
• Verify any communications by calling Highland Rivers directly using published contact information

Consider Identity Protection

• Place fraud alerts on your credit reports
• Consider freezing your credit to prevent new accounts from being opened
• Sign up for identity monitoring services if offered by Highland Rivers
• Keep detailed records of all communications and monitoring activities

Contact Highland Rivers

Reach out to Highland Rivers Behavioral Health directly for:

• Confirmation of whether your information was involved
• Details about what specific information may have been accessed
• Information about credit monitoring or identity protection services being offered
• Updates on their investigation and response efforts

Prevention Lessons for Healthcare Providers

This breach highlights critical cybersecurity vulnerabilities that healthcare organizations must address:

Network Security Fundamentals

• Implement multi-factor authentication for all system access
• Regularly update and patch all software and operating systems
• Use enterprise-grade firewalls and intrusion detection systems
• Conduct regular security assessments and penetration testing

HIPAA Compliance Requirements

Under HIPAA's Security Rule (45 CFR § 164.308), covered entities must:

• Designate a security officer responsible for developing and implementing security policies
• Conduct regular security risk assessments
• Implement access controls to limit PHI access to authorized personnel only
• Provide security awareness training to all workforce members
• Maintain audit logs of system access and user activity

Incident Response Planning

Healthcare providers should:

• Develop comprehensive incident response plans before breaches occur
• Train staff on breach identification and response procedures
• Establish relationships with forensic investigators and legal counsel
• Practice breach response scenarios through regular drills
• Maintain current contact information for all patients to enable rapid notification

Ongoing Monitoring

• Implement 24/7 network monitoring to detect suspicious activity
• Regularly review access logs for unauthorized attempts
• Update security measures based on emerging threats
• Conduct employee background checks and security training

The Highland Rivers breach serves as a reminder that cybersecurity is not optional in healthcare—it's a fundamental requirement for protecting patient privacy and maintaining trust.

Learn how HIPAA Agent can help protect your practice.