Cyber Incident Victim: Maffi Clinics

On September 11, 2018, Maffi Clinics, a network of five plastic surgery and skin care clinics based in Arizona, experienced a ransomware attack compromising systems containing protected health information. The intrusion was promptly detected, with unauthorized access terminated within five hours through immediate system shutdowns to contain potential damage. An independent IT consulting firm intervened to remove the ransomware and successfully restored affected files from existing backups, avoiding permanent data loss or operational disruption. Forensic analysis conducted during remediation found no evidence that attackers exfiltrated or viewed patient information during the brief access window. Notably, the clinic did not receive any ransom demand related to the incident, distinguishing it from contemporaneous healthcare ransomware cases involving extortion payments.

The incident potentially exposed information belonging to 10,465 patients, including names, addresses, phone numbers, and pre-and post-operative medical records. Despite the absence of evidence indicating actual data access or theft, Maffi Clinics initiated breach notifications to affected individuals as a precautionary measure. Concurrently, the organization implemented enhanced cybersecurity safeguards specifically targeting ransomware and malware threats, though technical specifics of these improvements were not publicly disclosed. The Department of Health and Human Services’ Office for Civil Rights received formal notification of the breach on March 6, 2019, nearly six months post-incident, aligning with standard regulatory reporting timelines. No credit monitoring or identity protection services were offered to patients, as the investigation concluded no substantive risk of data misuse existed. Operational recovery was achieved without financial concessions to threat actors or permanent loss of clinical records due to effective backup utilization.