Cyber Incident Victim: Virtual Private Network Solutions

On or around October 31, 2021, Virtual Private Network Solutions, LLC (VPN Solutions) identified a network security incident impacting its computer systems. VPN Solutions, a vendor providing electronic health record management software to Associates in Dermatology (AID), initiated an investigation to assess the nature and scope of the breach. The company initially informed AID that no patient data had been compromised by the ransomware attack. Subsequent forensic analysis revealed that unauthorized actors had accessed files containing sensitive consumer information stored on VPN Solutions’ network. This confirmation contradicted earlier assurances, prompting VPN Solutions to notify AID on January 17, 2023, that patient data had indeed been exposed during the incident.

AID commenced a review of the affected files to identify compromised information and impacted individuals, completing this process on March 10, 2023. The breached data included names, addresses, Social Security numbers, dates of birth, and protected health information, with specific details varying by individual. On March 17, 2023, AID filed a formal notice of the breach with the U.S. Department of Health and Human Services Office for Civil Rights and began mailing data breach notifications to affected consumers. The incident exposed personal and medical data from AID’s patient records managed through VPN Solutions’ systems, though the exact number of affected individuals was not disclosed in available reports. No additional technical details regarding the ransomware variant, containment measures, or attacker identity were provided in the source material.