Cyber Incident Victim: Country Doctor Community Health Clinic
Date:
Jan 2022
Location:
United States of America
Summary
Three US healthcare organizations, including Country Doctor Community Health Clinic (CDCHC), suffered data breaches affecting over 121,000 individuals. CDCHC notified 38,751 individuals after an unauthorized actor accessed its system, compromising names, Social Security numbers, dates of birth, addresses, and protected health information. The breach was discovered after unusual activity was detected in the digital environment, and the organization took steps to secure it, making changes to prevent similar incidents in the future.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 15, 2022, Ascension St. Vincent’s Coastal Cardiology in Brunswick, Georgia, discovered a healthcare data breach affecting legacy systems associated with its recently acquired Coastal Cardiology practice. The compromised systems included the practice’s former electronic medical record (EMR) infrastructure, which had been in use prior to its acquisition by Ascension. The organization confirmed that no current Ascension networks or systems were impacted, including the practice’s active EMR platform. Upon identifying the breach, Ascension St. Vincent’s Coastal Cardiology immediately secured the legacy network to prevent further unauthorized access. The investigation revealed that ransomware had encrypted portions of the legacy system’s data, rendering it inaccessible. Due to this encryption, the organization could not definitively determine which specific records or data elements were accessed or exfiltrated during the incident. The breach impacted 71,227 individuals who had received care at Coastal Cardiology before October 5, 2021.
The legacy EMR system contained demographic and clinical information related to patient visits occurring prior to the October 2021 acquisition date. Exposed data categories included patient names, addresses, email addresses, phone numbers, and insurance information. For some individuals, Social Security numbers were also compromised if they had been provided to the practice. Clinical information, billing details, and insurance-related data were additionally present in the affected systems. Ascension St. Vincent’s Coastal Cardiology issued breach notifications to all potentially impacted individuals but emphasized the ongoing inability to verify the exact scope of accessed data due to the ransomware’s encryption of the legacy records. No evidence suggested misuse of the compromised information as of the breach disclosure date, though the organization did not specify whether ransomware actors made explicit demands or claims regarding the encrypted data. The incident exclusively affected historical records from the pre-acquisition period, with no disruption to current clinical operations or Ascension’s broader network infrastructure.