Atlantic Health Strategies

Horizon Behavioral Health Data Breach: What Operators Should Actually Take From It

Table of Contents

Ready to See Results?

From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.

The Short Answer: Three Regulators, Not One

A behavioral health breach involving SUD records is a three-regulator problem, not a one-regulator problem. Operators who plan only for the HHS Office for Civil Rights (OCR) under HIPAA are planning for roughly a third of the exposure. The Horizon Behavioral Health incident will be measured on at least three tracks: OCR under HIPAA, the confidentiality rules at 42 CFR Part 2 (now enforced by OCR after an August 2025 delegation from the HHS Secretary), and the Virginia Attorney General under state breach notification law.

The breach surfaced through the OCR breach portal, the wall of shame every covered entity reads on a Monday morning hoping not to see their own name. Reporting indicates patient information was exposed, notification letters went out, and the matter is in the queue at OCR. That is the predictable arc.

What is less predictable is what happens next. Behavioral health records carry SUD content protected under 42 CFR Part 2 in addition to HIPAA. That changes the analysis. On August 25, 2025, the HHS Secretary delegated to the Director of OCR the authority to administer and enforce Part 2, so OCR now enforces HIPAA and Part 2 together. The 2024 Part 2 Final Rule has been effective since April 16, 2024, with compliance required by February 16, 2026, and Part 2 penalties now align with the HIPAA Privacy, Security, and Breach Notification Rules. State attorneys general enforce their own breach notification statutes on top of all of that.

Three regulators. Three timelines. Three different definitions of what counts as a reportable event.

The OCR Enforcement Climate Is Not Theoretical

Horizon Behavioral Health Data Breach: What Operators Should Actually Take From It — The OCR Enforcement Climate Is Not Theoretical

OCR launched its Risk Analysis Initiative in October 2024. The first action, against Bryan County Ambulance Authority in Oklahoma, settled for $90,000 on October 31, 2024 after a ransomware attack that encrypted the ePHI of 14,273 patients and a finding that BCAA had never conducted a compliant risk analysis.

The driver behind the initiative is uncomfortable. An OCR Phase 2 audit conducted in 2016 to 2017 concluded that only 14 percent of covered entities, and 17 percent of business associates, were substantially fulfilling their regulatory responsibilities to safeguard ePHI through risk analysis activities. Then-OCR Director Melanie Fontes Rainer put it plainly when the Bryan County settlement was announced: “Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware.”

The number that should make every behavioral health operator sit up: OCR has tracked a 264% increase in large breaches reported involving ransomware since 2018. I have reviewed risk analyses at facilities in Florida, Texas, and New Jersey that were a four-page Word doc from 2021 with the IT vendor’s logo at the top. That is not a risk analysis. That is a liability.

Two settlements tell you what investigators want on the record. Green Ridge Behavioral Health, a Maryland outpatient psychiatric practice, paid $40,000 after a ransomware attack that resulted in the acquisition of the protected health information of over 14,000 patients, and entered a three-year OCR-monitored corrective action plan. Montefiore Medical Center paid $4.75 million in February 2024 after an employee unlawfully accessed the records of 12,517 patients over a six-month period and sold the information to an identity theft ring. OCR wants a real risk analysis, evidence of remediation, audit logs, access reviews, and business associate agreements that match the vendor relationship. The Horizon breach will be measured against that same checklist. So will yours.

What Actually Fails in These Incidents

Forensic reports on behavioral health breaches read like the same script over and over. A phishing email lands. MFA was not enforced on a legacy admin account. The EMR vendor’s BAA was signed in 2019 and never updated when the vendor migrated to a new subprocessor. Offboarding ran 48 hours behind, so a terminated employee still had Azure credentials. Backups existed but had never been tested for restore. None of this is exotic. All of it is preventable.

OCR investigators are seeing the same script. In every Risk Analysis Initiative case to date, OCR has found that the regulated entity failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to its ePHI. OCR has been explicit that template forms and generic tools that fail to account for the unique aspects of an organization’s network are a common deficiency.

The other consistent failure is detection lag. Montefiore is the cautionary tale. The New York Police Department, not Montefiore, alerted the hospital in May 2015 to the theft, and the internal investigation then revealed the employee had accessed the records without authorization for six months between January and June 2013, roughly two years before anyone at the hospital noticed. If your EMR cannot tell you, in real time, who logged in, from where, and whether that account should still exist, your team does not have a security program. Your team has a hope.

Every AHS client hears the same directive during their first EOC tour and IT review: if a surveyor or OCR investigator asks for 90 days of access logs filtered by terminated users, your team should produce it before the meeting ends.

The Part 2 Layer Most Operators Underestimate

Here is where behavioral health operators get hurt. The 2024 Part 2 Final Rule applies the same requirements of the HIPAA Breach Notification Rule to breaches of records under Part 2, and aligns Part 2 penalties with HIPAA by replacing prior criminal penalties with civil and criminal enforcement authorities that also apply to HIPAA violations. Aligned, not erased. The underlying confidentiality protections still bite.

A breach involving SUD treatment records is not just a HIPAA event. It is a Part 2 event. The 2024 Final Rule continues to prohibit the use of Part 2 records in legal proceedings against the patient without specific consent or a court order, which is more stringent than the HIPAA standard. I watched a Pennsylvania facility hand over records during an incident response that should never have left the building without a court order meeting Part 2 standards. That mistake compounded the breach into a separate regulatory finding.

If you operate any ASAM Criteria, 4th Edition level of care that touches SUD (residential withdrawal management, clinically managed residential, partial hospitalization as an outpatient level of care, or the rest of the outpatient continuum), your breach response playbook needs a Part 2 decision tree sitting next to your HIPAA one. Two separate analyses. Same incident.

Beginning February 16, 2026, anyone can file a Part 2 complaint directly with OCR, and OCR investigates alleged noncompliance under the HIPAA Enforcement Rule at 45 CFR part 160. Anyone still running a HIPAA-only playbook is already behind.

Horizon Behavioral Health Data Breach: What Operators Should Actually Take From It — The Part 2 Layer Most Operators Underestimate

What To Do Before You Are the Next Headline

Five things, in order, that AHS clients are working through this quarter:

  1. Refresh the enterprise security risk analysis with a real methodology (HHS points to NIST Special Publication 800-30 as one example, and ONC in collaboration with OCR developed a Security Risk Assessment Tool), dated within the last 12 months, with documented remediation tracking. Template forms that ignore your specific network are a documented OCR deficiency.
  2. Pull your BAA inventory and reconcile it against your actual vendor list, including subprocessors. Green Ridge’s corrective action plan required an audit of third-party vendors to ensure appropriate business associate agreements are in place. Do it before the fact, not after.
  3. Enforce MFA on every account, no exceptions for the founder or the CFO. Legacy admin accounts without MFA are the single most common entry point in the forensic reports I read.
  4. Tabletop your incident response plan with OCR, Part 2, and your state AG notification timelines on the same clock. If your team cannot articulate what the HIPAA/Part 2 60-day clock triggers versus a state statute that requires notice in 30 or 45 days, that is a live gap.
  5. Confirm your cyber liability policy actually covers Part 2 regulatory defense, not just HIPAA. Most policies my clients hand me on day one do not.

AHS will be at NAATP National in Amelia Island, sponsoring the Women in Leadership Luncheon. Allison, Benjamin, Leah, and I will be there. If you want to walk through your own breach readiness, or you are sitting on an incident right now and not sure who to call first, find us.

The Horizon Behavioral Health breach is not the last one this year. It is just the one with a name attached this week.

Frequently asked questions

How many regulators investigate a behavioral health data breach involving SUD records?

At least three. OCR investigates the HIPAA side and, following an August 2025 HHS delegation, OCR also administers and enforces 42 CFR Part 2 (previously enforced by SAMHSA). The relevant state attorney general enforces state breach notification statutes on a separate clock. Under the 2024 Part 2 Final Rule, breach notification for SUD records now mirrors the HIPAA Breach Notification Rule, which triggers a 60-day clock from discovery to notify patients, HHS, and, for breaches affecting 500 or more individuals, the media.

What is OCR’s Risk Analysis Initiative and why does it matter for treatment centers?

OCR launched the initiative in October 2024 to target entities that cannot produce a current, enterprise-wide HIPAA Security Rule risk analysis. It began with a $90,000 settlement against Bryan County Ambulance Authority in Oklahoma after a ransomware attack that encrypted the ePHI of 14,273 patients, and every case since has cited a failure to conduct an accurate and thorough assessment. OCR investigators are looking for an accurate, organization-specific analysis with documented remediation, not a template.

What did Green Ridge Behavioral Health do wrong, and what should treatment center operators learn?

OCR found that Green Ridge, a Maryland-based psychiatric practice, failed to conduct an accurate and thorough risk analysis, failed to implement security measures to reduce risks to a reasonable and appropriate level, and failed to sufficiently monitor its information systems’ activity. A 2019 ransomware attack resulted in the acquisition of the PHI of over 14,000 patients. Green Ridge paid $40,000 and accepted three years of OCR monitoring under a corrective action plan that required, among other things, an audit of third-party vendor arrangements and updated business associate agreements. Small footprint does not equal small exposure.

Does PHP get treated the same as residential under Part 2 in a breach?

For record confidentiality, yes. Partial Hospitalization (ASAM Criteria, 4th Edition Level 2.5) is an outpatient level of care, but if the program is federally assisted and provides SUD diagnosis, treatment, or referral, its records are Part 2 records. The breach analysis is the same regardless of the level of care: HIPAA Breach Notification Rule timing applies under the 2024 Final Rule, and Part 2 confidentiality protections still govern how those records can be disclosed during the incident response, including the stricter court-order standard for use in legal proceedings against the patient.

Request a Free Consultation

Scroll to Top