Cyber Incident Victim: Anesthesia Associates
Date:
Jul 2022
Location:
United States of America
Summary
A healthcare data breach impacted 13 anesthesia providers, compromising information for over 380,000 individuals. The incident stemmed from a security failure at an unnamed management company utilized by the group, exposing patient names, addresses, health insurance details, Social Security numbers, payment information, and medical treatment or diagnosis data. Affiliated providers spanned multiple states, with individual practice impacts ranging from several thousand to nearly 100,000 patients. Following the breach, the management company implemented additional security controls to safeguard patient information, while affected individuals were advised to monitor financial and credit activity for suspicious behavior.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-July 2022, a healthcare data breach impacted 13 anesthesia provider practices across multiple U.S. states, affecting over 380,000 individuals according to notifications submitted to the HHS Office for Civil Rights. The incident involved unauthorized access to systems managed by an unnamed third-party management company utilized by these anesthesia providers. Anesthesia Associates of El Paso, one of the affected entities, disclosed that compromised information could include patient names, addresses, health insurance policy numbers, Social Security numbers, payment details, and health information such as treatment records and diagnoses. The breach notifications from providers were limited, with minimal public details about the exact intrusion methods, timeline of unauthorized access, or specific systems targeted. The management company’s role as a central point of failure suggested a supply chain attack vector, though no threat actor group or motive was identified in available reports.
Following the breach, affected anesthesia providers issued notices advising patients to monitor credit reports and financial statements for suspicious activity stemming from the exposure of sensitive personal and medical data. The management company implemented additional security controls to safeguard patient information, though specific technical or organizational measures were not detailed publicly. Impacted provider practices spanned diverse geographic regions, with Providence WA Anesthesia Services reporting the highest individual impact at 98,643 patients, followed by Palm Springs Anesthesia Services (58,513), Anesthesia Services of San Joaquin (44,015), and Anesthesia Associates of El Paso (43,168). Other entities included Resource Anesthesiology Associates PC (37,697), Bronx Anesthesia Services (17,802), Resource Anesthesiology Associates of IL PC (18,321), Resource Anesthesiology Associates of CA (16,001), Hazleton Anesthesia Services (13,607), Anesthesia Associates of Maryland (12,403), Upstate Anesthesia Services PC (9,065), Fredericksburg Anesthesia Services (7,069), and Lynbrook Anesthesia Services (3,800). The cumulative impact underscored the scale of vulnerabilities in third-party healthcare management ecosystems.