Cyber Incident Victim: Tennessee Orthopaedic Alliance
Date:
Oct 2019
Location:
United States of America
Summary
Tennessee Orthopaedic Alliance experienced a breach when unauthorized individuals accessed two employee email accounts, potentially compromising personal and protected health information of over 81,000 patients. The compromised data included names, dates of birth, contact details, Social Security numbers, health insurance information, treatment details, and cost information. While no misuse of the affected information was confirmed at the time of notification, the organization offered complimentary identity protection services to individuals whose Social Security numbers were potentially exposed and reported the incident to federal authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 18, 2019, Tennessee Orthopaedic Alliance (TOA) detected unusual activity within an employee’s email account, prompting an immediate investigation. Forensic analysis confirmed unauthorized access to two employee email accounts by an unknown party, potentially exposing sensitive patient information. The compromised accounts contained data belonging to both current and former patients spanning multiple categories of personal and protected health information. Affected data elements included patient names, dates of birth, physical addresses, phone numbers, email addresses, Social Security numbers, health insurance policy details, treatment or diagnostic codes, and treatment cost information. TOA’s investigation could not confirm whether any information was actually accessed or exfiltrated by the unauthorized party, nor could it determine the precise duration of the email account compromises prior to detection. The scope of potentially impacted individuals exceeded 81,000 patients based on the contents of the email accounts involved.
TOA initiated patient notification procedures by mailing letters to all potentially affected individuals on February 14, 2020, nearly four months after initial detection. The organization explicitly stated it had found no evidence of actual misuse of the exposed information as of the notification date. For patients whose Social Security numbers were potentially compromised, TOA arranged complimentary identity protection services through Kroll to monitor for fraudulent activity. The breach was formally reported to the U.S. Department of Health and Human Services (HHS) as affecting 81,146 individuals, meeting federal reporting requirements for incidents involving protected health information. TOA published a detailed notice on its official website to provide additional information about the incident while emphasizing ongoing security measures to protect patient data. No ransomware deployment, financial demands, or specific attacker motivations were identified in the disclosed findings.