Cyber Incident Victim: Elliot J. Martin Chiropractic
Date:
Feb 2016
Location:
United States of America
Summary
A chiropractic practice experienced unauthorized remote access to its computer system, potentially compromising patients' protected health information. The breach exposed sensitive data including names, addresses, Social Security numbers, dates of birth, medical diagnoses, driver's license details, credit card information, and laboratory findings. Following discovery, the practice notified affected individuals and reported the incident to the Office for Civil Rights as required by HIPAA. Law enforcement and technical experts were engaged in the investigation. Security improvements were implemented, such as password changes, revised internet access protocols, encrypted credit card processing, and removal of certain personal identifiers from systems to prevent future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 19, 2016, Elliot J. Martin Chiropractic PC discovered a potential breach of protected health information affecting current and former patients. The practice determined that an unauthorized individual may have remotely accessed their computer system between February 11 and February 19, 2016. The compromised information included sensitive personal and medical data such as patient names, addresses, Social Security numbers, dates of birth, diagnoses, driver's license numbers, credit card information, laboratory findings, and other records stored on the office computer system. Practice president Elliot J. Martin DC became aware of the intrusion on the discovery date of February 19, initiating immediate internal investigations. The breach timeframe represented an eight-day window of potential exposure before detection. No specific details about the attack vector or perpetrator were disclosed in the notification, though remote access was confirmed as the intrusion method.
The practice notified affected patients through individual letters dated March 14, 2016, advising them to place fraud alerts with all three major credit bureaus and monitor their credit reports for suspicious activity. Martin reported the incident to the Department of Health and Human Services Office for Civil Rights as required by HIPAA regulations and consulted with their internet service provider, computer technician, and the Nassau County Police Department during the investigation. In response to the breach, the practice implemented several security upgrades including password changes for all computers, revised internet access protocols, adoption of encrypted credit card processing systems, and removal of certain personal identifiers from their digital records. The notification letter provided specific contact information for credit bureaus and detailed instructions for fraud alert establishment while maintaining practice contact channels through email, phone, and physical mail at their Albertson office. No information about the number of affected individuals or forensic investigation outcomes was included in the public notification. The practice acknowledged the incident's potential to cause stress and emphasized their commitment to preventing future breaches through these implemented safeguards.