Cyber Incident Victim: The Vascular Center of Intervention

On or around March 29, 2023, the Vascular Center of Intervention (VCI) in California became aware of unusual activity occurring on its network. This detection prompted the initiation of an internal investigation to determine the nature and scope of the incident. The subsequent forensic analysis revealed that an unauthorized actor had gained access to VCI's systems and had engaged in activity involving patient-related files. The period of unauthorized access was determined to have occurred between February 25, 2023, and March 29, 2023. During this timeframe, certain files were accessed or exfiltrated from the network by the threat actor.

The types of sensitive patient information involved in this security incident were comprehensive. The compromised data included medical history details, information concerning a patient's mental or physical condition, and records of medical treatment or diagnosis provided by a healthcare professional. In addition to this highly sensitive health information, personally identifiable information was also affected. This included patient dates of birth, health insurance information, Social Security numbers, and driver's license information. The investigation concluded that for any given affected individual, the breach might have involved one or more of these data types.

While VCI's internal investigation identified the breach of patient data, the public notifications did not disclose the full nature of the attack. External reporting identified the specific threat group responsible for the incident. The BianLian cybercrime group claimed responsibility for the attack on VCI, characterizing it as an extortion operation. BianLian claimed to have successfully exfiltrated approximately 200 gigabytes of files from VCI's systems. This group subsequently added VCI to its data leak website on May 10, 2023, a common tactic used to pressure victims into paying a ransom demand.

The claims made by the BianLian group included the publication of the stolen VCI data. The group stated that the exfiltrated files were dumped on its dark web site and were contained within 74 separate archives. However, independent attempts to access these purported archives were unsuccessful, as they failed each time an access attempt was made. This raised questions regarding the authenticity of the data leak claim and whether the data was actually published or if the claim was merely a bluff as part of the extortion strategy.

VCI formally notified regulators and the public of the data breach on May 24, 2023. On that date, the organization submitted a breach notification to the appropriate authorities in California and also posted a substitute notice on its own website. The notification letter was signed by Dr. James Lee. The contents of this official notification described the discovery of the incident on March 29 and the results of the investigation, which confirmed access and exfiltration of data between late February and late March. It detailed the types of patient information that were potentially involved in the breach.

The substitute notice posted on VCI's website contained essentially the same information regarding the incident's discovery, timeline, and the types of data involved. However, this public notice omitted a key detail regarding the remedial actions being offered to affected patients. The official notification letter disclosed that impacted individuals were being offered 12 months of credit monitoring and identity theft protection services through the provider Cyberscout. This offering was a direct response to the potential misuse of the stolen sensitive information, particularly the Social Security numbers and financial data.

A significant aspect of the incident was the information that VCI chose not to disclose in its public communications. The organization's notifications did not mention that the attack involved an extortion attempt by a known ransomware group. There was no acknowledgement of the BianLian group's involvement or its claim of having exfiltrated a large volume of data. Furthermore, the notifications did not warn affected patients that their data was being leaked or was likely to be leaked on the dark web, despite the public claims made by the threat actor on its leak site.

The full impact of the incident, specifically the total number of patients affected by the data breach, was not immediately clear from the available information. As of the date of the initial reports, the incident had not yet been posted to the public breach tool maintained by the U.S. Department of Health and Human Services (HHS). This official posting would typically contain the confirmed number of affected individuals. Consequently, the scope of the breach in terms of the patient count remained undetermined and awaited further official disclosure. The response from VCI consisted of the investigation, the regulatory notification, the public substitute notice, and the offering of credit monitoring services to those whose data was compromised.