Cyber Incident Victim: Spine Diagnostic and Pain Treatment
Date:
Feb 2022
Location:
United States of America
Summary
Spine Diagnostic & Pain Treatment experienced a ransomware incident where the Conti group leaked approximately 3,351 patient files, representing 30% of the total data exfiltrated. The compromised data included driver's license images, pain diagrams, insurance billing details, and personally identifiable and protected health information. While the provider had not publicly confirmed the breach or provided details on incident response at the time of reporting, the leaked documents contained identifiable letterhead linking them to the practice. The extent of operational disruption, ransom demands, patient notifications, and regulatory reporting remained unclear based on available information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 25, 2022, the Conti ransomware group listed Spine Diagnostic & Pain Treatment, a Louisiana-based medical provider, on its data leak site. Conti published 3,351 files totaling nearly 4 GB, asserting these represented 30% of the total data exfiltrated during the breach. Analysis of the leaked files revealed a significant volume of sensitive patient and employee information, including driver’s license images—some dating back five or more years—alongside patient medical records containing pain diagrams, insurance billing details, and personally identifiable information (PII) or protected health information (PHI). The presence of practice letterhead on documents strongly indicated the data originated from Spine Diagnostic or an associated vendor. At the time of the leak’s discovery, Spine Diagnostic had not published any breach notification on its website, and the practice did not immediately respond to a media inquiry submitted via contact form seeking confirmation of the incident or details about its response.
The breach raised unresolved questions regarding its operational impact, including whether Conti had encrypted the provider’s servers or disrupted patient care services. The scope of affected individuals remained unverified, as Spine Diagnostic did not disclose the total number of patients or employees whose data was compromised, nor did it confirm if the incident had been reported to the U.S. Department of Health and Human Services (HHS) or disclosed to impacted parties. Conti’s publication of partial data suggested an attempted extortion effort, but the provider’s engagement in any ransom negotiations was not addressed publicly. The exposure of historical driver’s licenses and clinical records indicated potential long-term risks for identity theft and medical privacy violations. As of the incident’s initial reporting, no further details about the breach timeline, containment measures, or forensic findings were available due to the lack of official statements from Spine Diagnostic.