Cyber Incident Victim: Lubbock Heart & Surgical Hospital
Date:
Jul 2022
Location:
United States of America
Summary
Lubbock Heart & Surgical Hospital experienced a cybersecurity incident involving unauthorized access to its IT systems, which disrupted network operations and compromised sensitive patient data. The breach exposed personal and medical information including names, contact details, Social Security numbers, diagnoses, treatment records, prescription data, insurance details, and medical record numbers. After securing its systems and initiating an investigation with external cybersecurity experts, the hospital confirmed data exfiltration and notified approximately 23,379 affected individuals. The organization, a physician-owned Texas-based facility offering comprehensive medical services, collaborated with law enforcement and federal regulators following the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 12, 2022, Lubbock Heart & Surgical Hospital administration detected a data security incident that disrupted the functionality of its computer network. The investigation, conducted with external cybersecurity specialists, determined that an unauthorized party accessed the hospital’s IT system on July 11, 2022, with access terminated the following day. Law enforcement was notified during the initial response phase. Forensic analysis confirmed the intruder potentially copied sensitive patient data during the intrusion window. The hospital secured its systems following the discovery and initiated a review of affected files to identify compromised information and impacted individuals. This review revealed unauthorized access to patient names, contact details, demographic information, dates of birth, Social Security numbers, diagnosis and treatment records, prescription data, Medical Record Numbers, provider names, dates of service, and health insurance information. On September 9, 2022, the hospital reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights, disclosing that 23,379 patients were affected. Notification letters detailing the compromised data categories were dispatched to all impacted individuals on the same date. The hospital’s public notice emphasized the variability of exposed data per individual but confirmed the inclusion of multiple identifiers classified as protected health information under HIPAA.
The breach exposed patients to risks of identity theft, medical fraud, and financial harm due to the comprehensive nature of the compromised dataset. Specifically, the combination of Social Security numbers, medical record numbers, insurance details, and clinical information created potential for fraudulent medical service claims, incorrect medical record alterations, and financial liability for victims. The incident involved 18 distinct HIPAA identifiers, including biometric-relevant data such as full-face photographs, though the hospital’s notification did not specify whether biometric records were exfiltrated. Operational disruptions occurred during the network compromise, though service restoration timelines were not disclosed. As a physician-owned facility offering emergency services, cardiology, surgery, and diagnostics, the breach impacted a broad patient population across multiple clinical specialties. The hospital’s $37 million revenue base and 352-employee operations indicated the scale of affected infrastructure. No evidence of data misuse was confirmed in the disclosed findings, but the presence of Social Security numbers and health plan beneficiary numbers elevated identity theft risks beyond typical healthcare breaches. The investigation did not publicly attribute the attack or disclose whether ransomware or data exfiltration demands occurred.