Cyber Incident Victim: Norwood Clinic
Date:
Sep 2021
Location:
United States of America
Summary
Norwood Clinic experienced a cybersecurity breach where unauthorized actors accessed protected patient information over approximately one month before detection. The incident potentially compromised sensitive data including names, birth dates, contact details, Social Security numbers, and health records for over 228,000 individuals. While the investigation could not confirm specific data exfiltrated, the organization notified all patients as a precautionary measure due to the scope of system access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cybersecurity incident at Norwood Clinic began on or around September 20, 2021, when unauthorized actors gained access to protected patient information. The breach persisted undetected for approximately one month until discovery on October 22, 2021. During this period, attackers compromised systems containing sensitive personal and health data belonging to patients. The compromised information included full names, dates of birth, contact details, Social Security numbers, and various categories of health-related information. Norwood Clinic, based in Birmingham, Alabama, subsequently determined that the breach potentially affected 228,000 individuals, making it one of the largest healthcare data breaches disclosed during this timeframe alongside incidents at two Colorado-based providers. The clinic's investigation could not definitively establish which specific records were accessed or exfiltrated during the intrusion window, creating uncertainty about the exact scope of data exposure.
In response to the breach discovery, Norwood Clinic initiated standard incident response protocols including forensic analysis to determine the attack's parameters. The organization elected to notify all patients in its care network regardless of whether forensic evidence confirmed their specific records were accessed, adopting a precautionary approach to potential data exposure. Notifications were issued through formal letters that detailed the types of information potentially compromised while acknowledging the investigation's inability to confirm exact data elements affected. The clinic reported the breach to regulatory authorities including the Maine Attorney General's office, though the reason for filing in Maine rather than Alabama was not specified in available documentation. No public statements indicated whether the attackers deployed ransomware or other malware, nor were technical details about the intrusion method or affected systems disclosed. The breach exposed patients to potential identity theft and medical fraud risks due to the sensitivity of the compromised data categories, particularly the combination of Social Security numbers with health information.