Cyber Incident Victim: New Leaf, Inc.

On June 5, 2021, Jefferson Surgical Clinic, a healthcare provider based in Roanoke, Virginia, detected unauthorized access to portions of its network containing sensitive patient information. The breach investigation revealed that an attacker infiltrated systems storing protected health information, including patient names, dates of birth, Social Security numbers, and medical treatment details. The clinic immediately engaged third-party cybersecurity and digital forensics specialists to assist with containing the incident and determining its scope. Federal law enforcement authorities, including the Federal Bureau of Investigation, were promptly notified about the intrusion. Forensic analysis confirmed the attacker's access to data repositories but found no evidence that exfiltrated information had been misused for identity theft or fraudulent activities following the breach.

The compromised data affected 174,769 individuals whose records contained personal identifiers combined with Social Security numbers, as confirmed in notifications to the Maine Attorney General's office. Jefferson Surgical Clinic initiated breach notifications to impacted patients approximately seven months after detection, though no explanation was provided for this delay. As a precautionary measure against potential future misuse, the clinic offered affected individuals twelve months of complimentary credit monitoring and identity theft protection services. The breach notification letters detailed the types of exposed information but did not disclose technical specifics about the attack methodology, network vulnerabilities exploited, or operational disruptions caused by the incident. Regulatory filings confirmed the exposure of protected health information but did not indicate whether ransomware or extortion attempts accompanied the unauthorized network access.