Cyber Incident Victim: Mendelson Kornblum Orthopedic and Spine Specialists

On January 5, 2021, Mendelson Kornblum Orthopedic and Spine Specialists, a Michigan-based orthopedic practice, discovered that a server containing limited patient health information had been vulnerable to unauthorized third-party access for an undetermined period. The compromised data included patient names, medical record numbers, dates of birth, sex, and metadata related to medical imaging studies—specifically the dates and times images were taken, image identification numbers, and the anatomical regions imaged. The practice confirmed that the breach did not expose actual medical images, diagnostic or treatment details, insurance information, Social Security numbers, or any financial account or payment card data. The incident impacted 28,658 patients whose information resided on the affected server.

The practice initiated an immediate investigation upon detection and implemented corrective measures to secure the vulnerable server. They identified and closed the specific vulnerability that permitted unauthorized access while reviewing and strengthening existing security protocols to prevent recurrence. Mendelson Kornblum formally reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights on March 5, 2021, classifying it as a hacking/IT incident in their HHS submission. Patient notifications followed, advising individuals to monitor account statements and credit reports for suspicious activity despite no evidence of actual data misuse being identified during the investigation. The practice directed patients to review its website for comprehensive breach details, though external inquiries from media outlets like DataBreaches.net remained unanswered as of the reporting date. Security enhancements focused on procedural updates rather than system replacements, with no public disclosure of technical specifics regarding the vulnerability or unauthorized access methods.