Cyber Incident Victim: Southern Orthopedic Associates
Date:
Jun 2021
Location:
United States of America
Summary
Southern Orthopaedic Associates experienced a hacking incident involving unauthorized access to multiple employee email accounts over a two-week period, compromising protected health information of approximately 107,000 patients. The forensic investigation confirmed exposed data included patient names and Social Security numbers, though specific email access could not be determined. Following the breach discovery, the organization secured affected accounts, conducted a comprehensive review of email contents, and implemented enhanced email security measures alongside workforce security training. Impacted individuals received notifications and were offered complimentary credit monitoring services for one year.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Southern Orthopaedic Associates (SOA), operating as the Orthopaedic Institute of Western Kentucky in Paducah, KY, detected unauthorized activity in an employee email account on or around July 7, 2021. The organization immediately secured the compromised account and initiated an investigation to assess the breach's scope. With assistance from a third-party computer forensics firm, SOA determined that multiple employee email accounts had been accessed without authorization between June 24, 2021, and July 8, 2021. Investigators could not confirm which specific emails or attachments within the accounts were viewed by the threat actor. SOA conducted a comprehensive manual review of all emails and attachments in the compromised accounts to identify exposed protected health information. This review concluded on October 21, 2021, confirming that the breached accounts contained patient names and Social Security numbers. The incident affected 106,910 individuals whose data resided in the email system during the intrusion period. SOA began mailing notification letters to impacted patients on December 12, 2021, more than five months after initial detection.
In response to the breach, SOA implemented multiple corrective measures including enhanced email security protocols and additional workforce security awareness training. Affected individuals received offers for a complimentary 12-month membership to Experian's credit monitoring services. The organization did not specify whether forensic evidence confirmed data exfiltration beyond unauthorized account access. The attack vector appeared limited to email account compromise, with no indication of broader network infiltration. SOA's notification timeline adhered to HIPAA requirements despite the four-month gap between concluding their data review and issuing patient alerts. The incident exposed highly sensitive patient identifiers but did not compromise medical treatment records or clinical data according to available disclosures. Security improvements focused specifically on email systems where the breach originated.