Cyber Incident Victim: Valley Anesthesiology and Pain Consultants
Date:
Mar 2016
Location:
United States of America
Summary
Valley Anesthesiology and Pain Consultants experienced a security incident involving potential unauthorized third-party access to its computer systems. A forensic investigation found no evidence of data access but could not definitively rule it out, prompting notifications to approximately 882,590 patients, all current and former employees, and providers. Exposed information included patient treatment details, insurance identifiers, and some Social Security numbers; provider credentialing and financial data; and employee personal and banking information. While no misuse of information was identified, the organization offered free credit monitoring to individuals with exposed Social Security or Medicare numbers and implemented enhanced security measures including firewall upgrades and process reviews to prevent future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 13, 2016, Valley Anesthesiology and Pain Consultants (VAPC) discovered that an unauthorized third party may have accessed their computer systems on March 30, 2016. The organization immediately initiated an investigation upon discovery, engaging a leading forensics firm to assist and notifying law enforcement authorities. Forensic analysis found no conclusive evidence that data stored on the compromised systems was actually accessed or exfiltrated during the incident. However, investigators could not definitively rule out the possibility of unauthorized access to sensitive information. The potentially exposed systems contained extensive personal and medical data across three distinct groups: patients, healthcare providers, and employees. For approximately 882,590 patients, this included names, provider names, treatment dates and locations, health insurer details, insurance identification numbers, medical diagnosis/treatment codes, and in some cases Social Security Numbers or Medicare identifiers. Provider records exposed credentialing information such as full names, birth dates, Social Security Numbers, professional license numbers, DEA registration numbers, National Provider Identifiers, and bank account details. Employee data included names, dates of birth, addresses, Social Security Numbers, bank account information, and tax-related financial records.
VAPC issued notifications to all affected individuals despite having no evidence of actual data misuse, operating under the presumption of a reportable breach given the inability to confirm non-access. The organization established a dedicated call center and informational website to address inquiries, offering complimentary credit monitoring and identity protection services specifically to individuals whose Social Security Numbers or Medicare numbers were involved. Concurrently, VAPC implemented security enhancements including network firewall upgrades and comprehensive reviews of existing security protocols. These measures supplemented existing safeguards as part of organizational efforts to prevent recurrence. The incident impacted all current and former employees and providers in addition to the nearly 883,000 patients, representing a comprehensive compromise of the organization's workforce and client base. VAPC publicly acknowledged the potential consequences for personal privacy and expressed regret for any resulting concerns, while emphasizing their continued commitment to information security through infrastructure improvements and adoption of industry best practices in their IT environment.