Cyber Incident Victim: Advanced Medical Management
Date:
May 2023
Location:
United States of America
Summary
Advanced Medical Management experienced a data breach after an unauthorized party accessed portions of its IT network maintained by third-party vendors. The security incident resulted in the exposure of a significant amount of sensitive consumer information, including names, Social Security numbers, protected health information, and health insurance details. The company, which provides management services to healthcare providers, began notifying affected individuals following an internal investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 10, 2023, an unauthorized party gained access to certain databases within the IT network of Advanced Medical Management, LLC. The systems involved in this incident were developed and maintained by third-party vendors. The unauthorized access persisted until May 13, 2023. The specific security failure that allowed this initial access was not detailed in the public notification. The breach was detected by the company on May 11, 2023, when AMM observed unauthorized activity within its computer network. This detection prompted an immediate internal response.
In response to detecting the unauthorized activity, Advanced Medical Management notified law enforcement agencies. The company then launched a comprehensive investigation into the incident. The purpose of this investigation was to determine the cause of the breach and to ascertain the scope of the data that may have been accessed or acquired by the unauthorized actor. The forensic investigation confirmed that the intruder had accessed portions of the IT network containing sensitive consumer information during the three-day window in May.
The investigation later determined that the files accessible to the unauthorized party contained a significant amount of personal and protected health information belonging to consumers. The compromised data was not limited to a single type of information but constituted a extensive set of personally identifiable information. Following this determination, Advanced Medical Management conducted a review of the specific compromised files to identify exactly which individuals were affected and what specific elements of their information were exposed.
The data exposure was confirmed to include a wide range of sensitive consumer data. The leaked information includes individuals' names and Social Security numbers. It also includes physical addresses, email addresses, and phone numbers. Furthermore, the breach exposed dates of birth and driver’s license numbers. Critically, as a company providing support services to healthcare providers, the breached data included protected health information, commonly referred to as PHI, and health insurance information. The combination of these data elements significantly increases the potential risk for affected individuals.
Upon completing its investigation and review, Advanced Medical Management filed an official notice of data breach with the Attorney General of Montana on June 29, 2023. This filing provided the public confirmation of the incident and its scope. On that same date, the company began the process of sending out direct data breach notification letters to all individuals whose information was affected by the security incident. These letters were intended to inform victims about the breach and were meant to provide each recipient with a list of the specific information types that were compromised in their particular case.
The incident resulted in the unauthorized access of sensitive information, exposing a large number of consumers to an increased risk of identity theft and other fraudulent activities. The company, Advanced Medical Management, LLC, is a healthcare services company based in Baltimore, Maryland. It provides management services to healthcare companies operating in Maryland, Delaware, Virginia, and Pennsylvania. The practices managed by AMM include Multi-Specialty HealthCare, Injury Care Center, and Tri County Pain Management Centers, which had recently combined to form Excelsia Injury Care. The data breach impacted individuals associated with these entities. The company also clarified that it is not related to a similarly named entity, Advanced Medical Management, Inc., of Long Beach, California. The compromise of protected health information is a particularly serious matter due to the sensitive nature of medical data and the strict regulations that govern its security. The company's response included cooperation with law enforcement and a direct notification process to inform those impacted. The full technical details of the attack vector and the specific third-party vendors responsible for the affected systems were not disclosed in the public filing. The consequences of the breach are primarily the potential misuse of the exposed data for criminal purposes, leaving affected individuals vulnerable to financial and medical identity theft. The company’s public disclosure did not include information regarding the number of individuals affected by this data security incident. The response actions were focused on investigation, notification, and informing the relevant authorities as required by law.