Back to Posts

Why Behavioral Health Data Gets Targeted

Feb. 16, 2026

A healthcare worker reviewing protected patient records on a laptop

Mental health and substance use data attracts legal gravity, long-term consequences, and real-world harm if exposed. That combination is exactly why hackers target behavioral health and assisted living providers.

If you work in assisted living, adult foster care, homes for the aged, or behavioral health, you are holding information people trust you with at their most vulnerable moments. Attackers know that, and they also know many providers in this space are stretched thin on IT staffing and security tooling.

Mental health and substance use records are valuable to criminals because they're permanent, detailed, and useful for fraud, coercion, and long-term exploitation.

Facilities across the country are discovering "simple IT" environments don't reduce cyber risk. In many cases, they increase it.

Why This Data Is Different

Hackers don't choose targets based on size alone. They target environments where disruption creates pressure. Assisted living, mental and behavioral health facilities often share common characteristics: thin operating margins, small or informal IT teams, heavy reliance on third-party billing, electronic health records, care platforms, and highly sensitive patient and employee data.

Most companies think of breaches as a credit card problem. But stolen credit cards get canceled. Clinical data does not.

Behavioral health records often contain narrative detail you don't see in many other clinical settings, including assessments, treatment plans, progress notes, medication history, crisis notes, relapse history, and family or social context. Once exposed, that story cannot be reset.

Why Hackers Want Mental Health and Substance Use Records

1) The information is permanent

A breached card gets replaced. A breached diagnosis, treatment history, or therapy note does not. That permanence increases harm to the individual and increases leverage for the attacker.

2) It enables identity theft and insurance fraud

These records commonly include full identifiers (name, date of birth, address), insurance details, guarantor information, and sometimes Social Security numbers. That mix can be used to open accounts, submit fraudulent claims, or impersonate someone in health care systems.

Reuters reported that stolen medical information can be worth more than credit card numbers on underground markets because of how complete and reusable it is over time.

Source: Reuters via Yahoo Finance on the underground value of medical records

3) It can be used for coercion and reputational harm

Mental health and substance use information can expose things people are intensely private about. That creates risk of coercion, harassment, and reputational damage that goes beyond money. Even when attackers do not directly contact patients, they may pressure organizations by threatening to leak sensitive files.

4) It is often discovered late

Financial fraud tends to get flagged quickly. Medical identity fraud can sit quietly until a denial of coverage, a surprise bill, a prescription history mismatch, or a chart record problem brings it to light. That delay gives attackers more time to monetize stolen data.

These facilities are targeted because hackers know the impact of disruption is immediate.

For many providers, the most immediate damage is operational. If payroll, email, or finance workflows go down, care delivery gets harder fast.

Cybersecurity a Care Continuity Issue

For long-term care and behavioral health providers, cybersecurity is no longer a technical upgrade. It's directly tied to resident and patient safety, staff operations and retention, financial stability, regulatory exposure, and community trust.

When systems go down, care doesn't pause. Staff are forced to make decisions without access to complete information, increasing risk for everyone involved.

What a Managed Cybersecurity Partner Actually Provides

A managed service provider (MSP) or managed security service provider (MSSP) is not just outsourced IT support. In health care settings, they provide capabilities most facilities cannot staff internally.

That includes continuous monitoring to detect issues before care is disrupted, protection against phishing and ransomware (the most common attack vectors), patch management and system hardening, tested backup and recovery planning, documentation and support for HIPAA risk analysis and compliance, and incident response coordination when something goes wrong.

The Public Reality Check: The HHS Breach Portal

Health care breaches are not hidden. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights maintains a public breach reporting portal for incidents affecting 500 or more individuals. HHS also describes how covered entities and Part 2 programs must report breaches, including timing and submission requirements.

HHS guidance: submitting notice of a breach to the Secretary (HIPAA and Part 2)

HHS OCR Breach Portal, also known as the HIPAA Wall of Shame

The Extra Layer: 42 CFR Part 2 and Substance Use Records

Substance use disorder (SUD) treatment records often carry an additional confidentiality layer beyond HIPAA under 42 CFR Part 2. Part 2 was designed to reduce stigma and protect patients from being harmed because they sought treatment. In practice, it means SUD records can trigger stricter consent and disclosure rules than many organizations expect.

HHS issued a final rule updating Part 2 to better align with HIPAA while maintaining core protections. The rule is effective April 16, 2024, with a compliance date of February 16, 2026.

HHS fact sheet: 42 CFR Part 2 final rule

Federal Register: effective date and compliance date for the Part 2 final rule

Why this matters for cybersecurity: if a breach involves Part 2 records, you are not just dealing with reputational damage. You may also be dealing with a stricter confidentiality regime and additional compliance exposure.

What Attack Patterns Tell Us

Broad breach reporting consistently shows many incidents still start with basic, preventable footholds: stolen credentials, phishing, misconfigurations, and exploited vulnerabilities. The Verizon Data Breach Investigations Report (DBIR) is one of the best annual snapshots of how breaches happen across industries.

What This Means for Your Business

You don't need to become a cybersecurity expert to reduce risk. You do need a plan that matches what attackers actually do and what your environment actually looks like.

Start here:

  • Identify your high-risk data: mental health notes, substance use disorder (SUD) treatment data, resident data, workforce files, and financial workflows.
  • Confirm whether you have Part 2 exposure and whether your workflows handle it intentionally.
  • Turn on multi-factor authentication (MFA) across email, remote access, EHR platforms, payroll, and financial systems.
  • Lock down access: remove shared logins, reduce admin privileges, and review vendor access routinely.
  • Back up critical systems and test restores. A backup you cannot restore is not a backup.
  • Train staff with realistic scenarios: phishing, invoice fraud, payroll diversion, and executive impersonation.

Duty of Care

Mental health and substance use records carry unique risk because they are permanent, deeply personal, and legally sensitive. For providers, protecting them is not just a compliance task. It is part of the duty of care.

Need Help Strengthening Your Cyber Readiness?

STACK Cybersecurity can help you understand your current exposure, reduce the biggest real-world risks, and build a practical plan that fits your environment. Call (734) 744-5300 or Contact Us to start the conversation.

Cybersecurity Consultation

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cybersecurity's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Explore our Risk Assessment