Cyber Incident Victim: Illinois Valley Podiatry Group
Date:
Jan 2015
Location:
United States of America
Summary
Illinois Valley Podiatry Group experienced unauthorized access to patient records managed by contractor Bizmatics, Inc., compromising names, addresses, and Social Security numbers for 26,588 individuals. The breach prompted engagement with law enforcement and cybersecurity experts to contain the intrusion, with patients advised to monitor for identity theft. A separate Bizmatics client, Complete Family Foot Care, reported a similar incident impacting 5,883 patients, though federal breach reporting did not explicitly attribute these incidents to the vendor. No public statement from Bizmatics clarified the full scope of affected clients.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Illinois Valley Podiatry Group, based at 3322 W. Willow Knolls Drive, publicly disclosed a cybersecurity incident on March 8, 2016, after discovering unauthorized access to its computer records. The intrusion was believed to have occurred in 2015, though the exact date of initial compromise remained unspecified. Patient names, addresses, and Social Security numbers were identified as potentially exposed data elements during the breach. The medical group engaged law enforcement authorities and contracted a cyber forensics firm to investigate the incident and ensure containment of the intrusion. While the practice acknowledged uncertainty about precisely which records were accessed, it proactively notified 26,588 affected patients through an undisclosed method and recommended vigilance against fraud and identity theft. The incident was formally reported to the U.S. Department of Health and Human Services (HHS) on the same day as the public announcement, though no substitute notice or detailed press release from the podiatry group was publicly identified at the time of initial reporting.
Forensic analysis linked the breach to a compromise at Bizmatics, Inc., a third-party vendor providing electronic medical records (EMR) management services to the podiatry group. This connection emerged concurrently with a separate breach disclosure by Complete Family Foot Care, a Nebraska-based healthcare provider that also utilized Bizmatics’ services and reported a hacking incident affecting 5,883 patients on March 8, 2016. Complete Family Foot Care’s notification clarified that Bizmatics’ compromised servers contained patient health information including names, addresses, Social Security numbers, health insurance details, diagnoses, and treatments, though financial payment data was not stored in the affected systems. Bizmatics initiated response measures immediately after detecting the unauthorized access, collaborating with law enforcement and data security experts to secure their infrastructure. Neither breach appeared in HHS’s public breach reporting tool as business associate incidents, creating potential discrepancies in public understanding of the events’ scope. No additional client organizations beyond Illinois Valley Podiatry Group and Complete Family Foot Care were confirmed as impacted through available reports, and Bizmatics did not issue public statements verifying the total number of affected entities or detailing the intrusion methodology.