Cyber Incident Victim: Centers for Advanced Orthopaedics
Date:
Oct 2019
Location:
United States of America
Summary
A Maryland orthopedic provider experienced unauthorized access to multiple employee email accounts over a one-year period, compromising protected health information for approximately 125,000 patients, employees, and dependents. The breach exposed sensitive data including Social Security numbers, financial account details, and passport numbers, though investigators couldn't confirm whether the information was actually viewed or acquired by the intruder. Following discovery of the email compromise, the organization initiated security reviews and implemented enhanced safeguards while reporting no evidence of data misuse.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 25, 2021, the Centers for Advanced Orthopaedics (CAO) initiated notifications to 125,291 individuals—including patients, employees, and dependents—regarding a cybersecurity incident involving unauthorized access to employee email accounts. The Bethesda, Maryland-based orthopedic practice discovered unusual email activity on September 17, 2020, prompting an immediate investigation with assistance from cybersecurity experts. Forensic analysis revealed that a cybercriminal had infiltrated multiple employee email accounts over a prolonged period spanning October 2019 through September 2020. The investigation concluded on January 25, 2021, confirming that protected health information (PHI) resided within the compromised email accounts during the breach window. Exposed data potentially included Social Security numbers, financial account details, passport numbers, and other sensitive personal and medical information. CAO explicitly stated it could not confirm whether the unauthorized party actually viewed or acquired the PHI, nor was it aware of any subsequent misuse of the exposed information.
In response to the breach, CAO undertook a comprehensive review of its existing cybersecurity policies and operational procedures. The organization conducted an assessment of its security infrastructure to identify vulnerabilities exploited during the incident. Additional technical and administrative safeguards were implemented to strengthen email system protections and reduce the likelihood of future unauthorized access. The yearlong duration of undetected access highlighted systemic gaps in monitoring capabilities, though specific technical details about the attack vector or containment measures were not publicly disclosed. Notification letters provided guidance to affected individuals about monitoring their personal information but did not offer complimentary credit monitoring services. The incident underscored operational challenges in securing email communications containing PHI across a multi-provider orthopedic network.