Cyber Incident Victim: Galstan & Ward Family and Cosmetic Dentistry
Date:
Mar 2020
Location:
United States of America
Summary
A ransomware attack targeted Galstan & Ward Family and Cosmetic Dentistry, with attackers claiming server infection and demanding payment. The dental practice had previously wiped its server and restored data from backups, but subsequent unauthorized access led to some files being stolen and published on the dark web. While no patient information was confirmed within the compromised files, individuals were notified as a precautionary measure due to potential exposure risks. The incident mirrored broader cyber-attacks impacting multiple healthcare providers, where encrypted systems and data theft prompted breach notifications despite varying evidence of actual patient data compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Galstan & Ward Family and Cosmetic Dentistry in Suwanee, Georgia, experienced a cybersecurity incident involving a ransomware demand. A caller contacted the dental practice claiming their server was infected with a virus and demanded payment. Prior to this event, the practice had proactively wiped the affected server and restored operations using backup data, indicating some level of preparedness. However, on September 11, 2020, attackers successfully exfiltrated certain files from the practice's systems and subsequently published this data on the dark web. Forensic analysis confirmed that the stolen files did not contain identifiable patient health information or personal records. Despite the absence of confirmed patient data exposure, the practice elected to notify affected individuals as a precautionary measure against potential risks.
The incident timeline suggests an initial compromise occurred around March 2020, though the exact date of first intrusion remains unspecified in public disclosures. Attackers employed ransomware tactics, though the practice's prior server restoration from backups mitigated operational disruption. The September 2020 data exfiltration represented a secondary phase where threat actors shifted from encryption-based extortion to data theft and publication. No evidence indicated patient treatment records, financial data, or personally identifiable information were compromised in the published materials. The practice's response included forensic investigation to determine data exposure scope, dark web monitoring to track stolen materials, and precautionary patient notifications despite forensic conclusions showing no sensitive data leakage. Business operations continued without reported interruptions following the initial server restoration.