Cyber Incident Victim: Mayfield Brain & Spine
Date:
Feb 2016
Location:
United States of America
Summary
An unauthorized breach at a vendor used by Mayfield Brain & Spine resulted in fraudulent emails containing ransomware being distributed to patients, business associates, and other contacts. The malicious email, disguised as an invoice, triggered malware downloads if recipients opened the attachment. The compromised vendor database only contained email addresses, with no health or financial information exposed. The organization promptly notified affected individuals, provided malware removal software, secured the vendor account, and implemented enhanced security protocols. Over 23,000 individuals were impacted by the incident, which did not involve the healthcare provider's own systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 23, 2016, unauthorized actors accessed the database of an outside vendor used by Mayfield Brain & Spine to distribute communications, triggering a malicious email campaign. Recipients received fraudulent messages titled "Important Information: invoice 11471" appearing to originate from Mayfield but actually sent by the unauthorized party. The email contained an attachment that deployed ransomware upon opening, potentially compromising affected devices. Mayfield responded immediately on the same day by alerting recipients about the fraudulent nature of the communication, prominently displaying warnings on their website homepage, and issuing updated remediation guidance on February 25. The clinic confirmed no internal systems were breached, as the compromise exclusively involved the vendor's infrastructure used for distributing newsletters, educational materials, event invitations, and other non-sensitive communications to patients, business associates, and website contacts.
Mayfield's investigation determined the vendor only maintained email addresses provided by the clinic, with no exposure of protected health information or financial data. The organization implemented multiple containment measures including collaborating with the vendor's compliance team to analyze the breach, permanently locking the compromised account to prevent further unauthorized access, and engaging antivirus specialists to analyze the malware's characteristics. As part of remediation, Mayfield distributed free malware removal software to affected individuals and conducted internal policy reviews to strengthen information security practices related to vendor relationships. Thomas Rosenberger, Vice President of Communications, publicly stated the clinic saw no need for additional recipient actions following these measures. The incident was formally reported to the U.S. Department of Health and Human Services on April 23, 2016, with documentation indicating 23,341 affected individuals. Final notifications were disseminated via mailed letters and a press release outlining the event timeline and organizational response.