Cyber Incident Victim: DOCS Medical Group
Date:
Sep 2022
Location:
United States of America
Summary
DOCS Medical Group, a Connecticut-based healthcare provider, experienced a ransomware attack compromising patient data including demographic details, medical history, Social Security numbers, insurance information, and financial records. The incident did not disrupt electronic medical records or billing systems, allowing operations to continue uninterrupted. The organization attributed the breach to external factors rather than internal failures, implicitly suggesting potential vendor involvement by emphasizing its expectation that vendors uphold similar data protection standards. No details were provided regarding the ransomware group, file encryption status, decryption efforts, ransom demands, or payment. Patient notifications were issued, but the incident remained unlisted on official breach registries at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 7, 2022, DOCS Medical Group, a Connecticut-based urgent care, primary care, and telemedicine provider, detected abnormal activity within its systems. The organization promptly identified the activity as a ransomware attack. A patient notification letter dated November 7, 2022, confirmed that an unspecified number of patients had personal and medical information stored on a compromised server. Exposed data included demographic details such as names and contact information, medical histories, reasons for visiting DOCS facilities, Social Security numbers, insurance information, and various financial records. DOCS noted the incident did not impact electronic medical records or billing systems, emphasizing the organization remained "fully operational at all times" throughout the event. No technical specifics regarding the ransomware variant, encryption status, data exfiltration, or decryption methods were disclosed in the notification. The letter did not address whether DOCS received or responded to any ransom demands from threat actors.
DOCS Medical Group asserted in its notification that the ransomware attack "did not occur due to any act or omission of DOCS or its staff," but provided no explanation for this claim. The notice referenced vendor obligations regarding patient data protection, stating, "DOCS takes its obligation to protect the privacy and confidentiality of our patients’ personal information and we expect our vendors to do the same." This statement raised unresolved questions about potential third-party involvement in the breach, though no vendor was explicitly named or confirmed as a contributing factor. DOCS did not respond to external inquiries seeking clarification about the attack's origin or the role of vendors. As of the article’s publication date, the incident had not been listed on the U.S. Department of Health and Human Services’ public breach reporting tool. The notification did not disclose the total number of affected individuals, restoration timelines, forensic investigation outcomes, or whether law enforcement was engaged.