Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
What We Know, and Why Behavioral Health Is a Different Animal
The Horizon Behavioral Health data breach surfaced through the HHS Office for Civil Rights breach portal, the same wall of shame every covered entity ends up reading on a Monday morning hoping not to see their own name. Reporting indicates patient information was exposed, notification letters went out, and the matter is now in the queue at OCR. That is the predictable arc. What is less predictable is what happens next, because behavioral health breaches do not get treated like a dermatology practice losing a laptop.
Behavioral health records carry SUD content protected under 42 CFR Part 2 in addition to HIPAA. That changes the analysis. SAMHSA enforces Part 2. OCR enforces HIPAA. State attorneys general enforce their own breach notification statutes, and in Virginia, where Horizon operates, the AG’s office has been active on consumer data matters. Three regulators, three timelines, three different definitions of what counts as a reportable event. Operators who only plan for OCR are planning for a third of the problem.
The OCR Enforcement Climate Is Not Theoretical
In 2024, OCR collected over $12 million in HIPAA settlements and civil money penalties, and the Risk Analysis Initiative explicitly targets entities that cannot produce a current, enterprise-wide security risk analysis. That is the document everyone says they have and almost no one actually has in the form OCR wants. I have reviewed risk analyses at facilities in Florida, Texas, and New Jersey that were a four-page Word doc from 2021 with the IT vendor’s logo at the top. That is not a risk analysis. That is a liability.
The pattern in recent OCR resolutions (Doctors’ Management Services at $100,000, Green Ridge Behavioral Health at $40,000, Montefiore at $4.75 million) tells you what surveyors and investigators want to see. A real risk analysis. Evidence of remediation. Audit logs. Access reviews. Business associate agreements that actually exist and actually match the vendor relationship. The Horizon Behavioral Health data breach will be measured against that same checklist, and so will yours.
What Actually Fails in These Incidents
Forensic reports on behavioral health breaches read like the same script over and over. A phishing email lands. MFA was not enforced on a legacy admin account. The EMR vendor’s BAA was signed in 2019 and never updated when the vendor migrated to a new subprocessor. Offboarding was 48 hours behind, so a terminated employee still had Azure credentials. Backups existed but had never been tested for restore. None of this is exotic. All of it is preventable.
The other consistent failure is detection lag. Median dwell time in healthcare intrusions still runs into weeks. If your EMR cannot tell you, in real time, who logged in, from where, and whether that account should still exist, you do not have a security program. You have a hope. We tell every AHS client the same thing during their first EOC tour and IT review: if a surveyor or an OCR investigator asks for 90 days of access logs filtered by terminated users, you should be able to produce it before the meeting ends.
The Part 2 Layer Most Operators Underestimate
Here is where behavioral health operators get hurt. The 2024 Part 2 final rule aligned breach notification with HIPAA, but it did not erase the underlying confidentiality protections. A breach involving SUD treatment records is not just a HIPAA event. It is a Part 2 event, and the disclosure rules around law enforcement, subpoenas, and even internal investigations are stricter than most general counsel realize. I have watched a Pennsylvania facility hand over records during an incident response that should never have left the building without a court order meeting Part 2 standards. That mistake compounded the breach into a separate regulatory finding.
If you operate any ASAM Criteria, 4th Edition level of care that touches SUD (Level 3.7 medically-monitored intensive inpatient, Level 3.5 clinically managed high-intensity residential, Level 2.5 partial hospitalization, the outpatient continuum), your breach response playbook needs a Part 2 decision tree sitting next to your HIPAA one. Two separate analyses. Same incident.
What To Do Before You Are The Next Headline
Five things, in order, that we are walking AHS clients through this quarter. One: refresh the enterprise security risk analysis with a real methodology (NIST 800-30 or HHS SRA Tool), dated within the last 12 months, with documented remediation tracking. Two: pull your BAA inventory and reconcile it against your actual vendor list, including subprocessors. Three: enforce MFA on every account, no exceptions for the founder or the CFO. Four: test your incident response plan with a tabletop that includes OCR, SAMHSA, and your state AG notification timelines on the same clock. Five: confirm your cyber liability policy actually covers Part 2 regulatory defense, not just HIPAA.
We will be at NAATP National in Amelia Island May 4 through 6, sponsoring the Women in Leadership Luncheon. Allison, Benjamin, Leah and I will be there. If you want to talk through your own breach readiness, or you are sitting on an incident right now and not sure who to call first, find us. The Horizon Behavioral Health data breach is not the last one this year. It is just the one with a name attached this week.
References
- HHS Office for Civil Rights: Breach Portal (Cases Currently Under Investigation)
- HHS OCR: HIPAA Resolution Agreements and Civil Money Penalties
- SAMHSA: 42 CFR Part 2 Confidentiality Regulations
- Federal Register: 42 CFR Part 2 Final Rule (February 2024)
- HHS: Guidance on Risk Analysis Requirements under the HIPAA Security Rule
- Office of the Attorney General of Virginia
- American Society of Addiction Medicine: The ASAM Criteria, 4th Edition