Cyber Incident Victim: Desert Pain Institute

On August 26, 2021, healthcare technology services company QRS, Inc. detected unauthorized access to a client’s patient portal, with the attacker exfiltrating files from the compromised server. The breach was discovered within three days of the initial attack. The compromised data potentially included patients’ names, addresses, dates of birth, Social Security numbers, patient identification numbers, portal usernames, and medical treatment or diagnosis information. QRS confirmed the intrusion was isolated to this single client’s portal and did not affect other QRS systems or additional clients. The incident was reported to the U.S. Department of Health and Human Services (HHS) as impacting 319,788 individuals. In November 2021, the Snatch ransomware group claimed responsibility for the attack on their leak site. Separately, Gregory Brewer, MD PLLC reported the same incident impacted 6,027 of their patients, though it remained unclear whether this figure was included in QRS’s initial HHS report.

Baywood Medical Associates, PLC, operating as Desert Pain Institute (DPI), experienced a separate breach involving protected health information. DPI reported the incident to HHS as affecting 45,262 patients. No specific timeline, attack vector, or detection details were disclosed in available public notifications. The breach notification indicated the compromised data could include patient names, dates of service, addresses, Medicaid IDs, and dates of birth. There was no public confirmation of whether ransomware or extortion tactics were involved, nor were containment or remediation measures described. The incident marked one of multiple healthcare breaches disclosed during this period, alongside unrelated intrusions at the New York Psychotherapy and Counseling Center (NYPCC) and the QRS-related compromise. DPI’s breach underscored operational risks to regional specialty clinics handling sensitive patient data.