Cyber Incident Victim: MSK Group
Date:
May 2018
Location:
United States of America
Summary
A Tennessee-based healthcare entity experienced unauthorized access to parts of its computer network over several months, potentially exposing personal and medical information including names, addresses, social security numbers, diagnostic images, insurance details, and medical records. The organization engaged cybersecurity consultants to investigate and mitigate the incident, determining no data was confirmed as exfiltrated. As a precaution, affected individuals were notified and offered one year of complimentary identity theft protection services featuring credit monitoring, identity recovery support, and a $1 million insurance reimbursement policy.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 7, 2018, MSK Group, a Tennessee-based orthopedic practice operating under divisions including OrthoMemphis, Memphis Orthopaedic Group, Tabor Orthopedics, and Crosstown Back & Pain Institute, detected a security incident affecting its computer networks. The organization immediately engaged external information security consultants to investigate the event, mitigate risks, and assess the scope of unauthorized access. Forensic analysis revealed intermittent unauthorized access to portions of the network occurring over several months prior to detection. While investigators determined no records containing personal information were confirmed to have been exfiltrated, the compromised network segments stored sensitive patient data including full names, addresses, telephone and fax numbers, photographs, email addresses, dates of birth, Social Security numbers, diagnostic images, driver’s license details, insurance information, and medical records. The investigation remained ongoing with continued collaboration between MSK Group and cybersecurity consultants to implement additional network security enhancements following the breach discovery.
MSK Group initiated patient notifications on July 5, 2018, via letters signed by CEO Kimble L. Jenkins, with physical mailings scheduled to arrive starting approximately July 9. The notifications disclosed the potential exposure of personal information and offered affected individuals one year of complimentary identity protection services through ID Experts' MyIDCare program. This service package included 12 months of credit monitoring, a $1 million identity theft insurance reimbursement policy underwritten by an A.M. Best "A- rated" carrier with no deductible, and fully managed identity theft recovery support. Enrollment required activation through a dedicated portal (https://ide.myidcare.com/mskprotect) using unique codes provided in notification letters, with a 90-day enrollment window from each recipient's letter date. The organization maintained public communication through its website, emphasizing precautionary measures despite no evidence of actual data removal, while continuing to strengthen network defenses in coordination with cybersecurity experts.