Cyber Incident Victim: Spine & Disc Medical Center
Date:
May 2021
Location:
United States of America
Summary
Spine & Disc Medical Center, a Phoenix-based chiropractic practice, experienced a ransomware attack by the Avaddon threat actor group, which claimed responsibility by adding the organization to its leak site and publicly releasing archived files containing patient records and limited employee information. The attackers did not compromise electronic health record systems or personnel databases, but the incident forced the practice’s website offline for an extended period. While the full scope of data exfiltration remains unclear, the breach exposed sensitive patient and staff details through the dumped proof-of-hack materials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Spine & Disc Medical Center, a chiropractic practice in Phoenix, Arizona, experienced a ransomware attack around May 24, 2021, resulting in operational disruption and potential data compromise. The Avaddon ransomware group claimed responsibility for the attack, listing the medical center on their data leak site and publishing archived files as evidence of their intrusion. These leaked files contained identifiable patient records and limited employee information, though the attackers did not appear to access or exfiltrate electronic health record (EHR) or electronic medical record (EMR) systems or comprehensive personnel databases. The practice's website became inaccessible in the days preceding the public disclosure, indicating the attack likely occurred shortly before May 24. No details regarding the initial attack vector, encryption methods, or ransom demands were disclosed in available reporting.
The attack forced Spine & Disc Medical Center offline, with their web presence remaining unreachable for multiple days following the incident. DataBreaches.net attempted to contact the practice via email to obtain an official statement regarding the attack's scope and their response measures, but no reply had been received by the time of publication. The published data samples suggested potential exposure of sensitive health information, though the full extent of data exfiltration remained unverified. No information emerged regarding containment procedures, system restoration efforts, or whether law enforcement was notified. The operational disruption to the practice's online presence indicated significant information system impacts, though the duration of clinical service interruptions was not specified in available sources.