Cyber Incident Victim: Dialyze Direct

On January 21, 2021, an unauthorized actor gained access to a single employee email account at Dialyze Direct, a Neptune City, New Jersey-based dialysis center. The breach persisted undetected until March 4, 2021, when unauthorized access to the account ceased. Dialyze Direct confirmed the incident on February 14, 2022, after concluding its investigation. The compromised email account contained sensitive protected health information belonging to 14,203 individuals. Patient notification began nearly a year after the breach window closed, with disclosures issued starting March 10, 2022. The organization found no evidence suggesting threat actors misused the exposed data but recommended affected individuals monitor their financial accounts and credit reports for suspicious activity.

The breach exposed multiple categories of personally identifiable information and medical data, including full names, Social Security numbers, dates of birth, financial account details, diagnostic and treatment records, health insurance plan information, government-issued identification numbers, and payment card information. Dialyze Direct did not publicly disclose the specific method of initial compromise or technical details regarding breach detection. No ransomware deployment or data encryption was reported, distinguishing this incident from contemporaneous attacks against other healthcare entities. The dialysis center implemented standard breach response protocols, including direct patient notifications and guidance on vigilance against identity theft, but did not outline specific security upgrades or system changes resulting from the incident.