On December 16, 2022, Monarch filed notice of a data breach with the Massachusetts Attorney General as well as the U.S. Department of Health and Human Services Office for Civil Rights after a ransomware attack resulted in confidential patient information being exposed to an unauthorized party. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ full names, protected health information and Social Security numbers. After confirming that consumer data was leaked, Monarch began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.

If you were recently a patient of a Monarch healthcare provider, your personal and highly-sensitive information may now be in the hands of bad actors looking to use your data to steal your identity. As we’ve previously discussed in other pieces, hackers have become brazen in their cyberattacks in recent years. They have also begun targeting the information they know can generate the most profit on the dark web. Social Security numbers and protected health information provide hackers with the data they need to carry out a wide range of frauds. And while there is nothing you could have done to prevent an attack, there are steps you can take to protect yourself. Additionally, if the pending investigation reveals that Monarch was negligent in how it stored patient data, affected patients may be able to pursue a data breach lawsuit against the company.

What We Know So Far About the Monarch Breach

The available information regarding the Monarch breach comes from the company’s filings with the Massachusetts Attorney General and the U.S. Department of Health and Human Services Office for Civil Rights. According to these sources, on August 29, 2022, Monarch learned that it had been the victim of a ransomware attack. While Monarch did not divulge how it came to learn of the attack, upon making this discovery, the company secured its networks and began working with third-party forensic specialists to investigate the incident and determine what, if any, patient information was compromised.

The Monarch investigation confirmed the recent ransomware attack and also revealed that certain files contained on the company’s network were accessed by the unauthorized party who orchestrated the attack. It was also discovered that some of the files that were compromised contained sensitive information related to certain patients.

Upon discovering that sensitive consumer data was made available to an unauthorized party, Monarch began to review the affected files to determine what information was compromised and which consumers were impacted. Monarch completed this process on November 22, 2022. While the breached information varies depending on the individual, it may include your first and last name, Social Security number, and protected health information.

On December 26, 2022, Monarch sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. According to the U.S. Department of Health and Human Services Office for Civil Rights, the Monarch data breach impacted the information of 56,155 individuals.

More Information About Monarch

Founded in 1958, Monarch is a healthcare provider based in Albemarle, North Carolina. Monarch serves individuals experiencing intellectual and developmental disabilities, mental illness and substance use disorders across North Carolina, providing a wide range of services, including behavioral health services, long-term support & services, and tailored care management. Monarch employs more than 1,886 people and generates approximately $86 million in annual revenue.