Cyber Incident Victim: Michigan Avenue Immediate Care
Date:
Dec 2021
Location:
United States of America
Summary
A threat actor breached a Chicago healthcare facility, compromising protected health information of approximately 43,000 patients, including Social Security numbers, proof of identification, lab analyses, COVID-19 test results, and insurance details. The attackers exfiltrated over 580 GB of data from systems such as Yosi System, Docman, and Tempus, later initiating data sales after unsuccessful ransom negotiations. The intrusion reportedly exploited weak security controls, with the facility failing to publicly acknowledge the incident or respond to inquiries despite evidence provided by the threat actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2021, threat actors breached the systems of Michigan Avenue Immediate Care (MAIC), a Chicago-based immediate care facility and its associated primary care practice. The attackers claimed to have exfiltrated over 580 GB of protected health information (PHI) belonging to approximately 43,000 patients between December 2021 and May 10, 2022. Compromised data included Social Security numbers, proof of identification documents (such as driver’s license copies), lab analyses, TEMPUS COVID-19 test results, patient registration forms, insurance claims, and medical histories detailing lifestyle factors. Specific systems targeted included Yosi System, Docman, and Tempus. The threat actors asserted the intrusion required only 1.5 hours due to weak computer security. On May 16, 2022, they contacted DataBreaches.net, providing a 13-page patient registration form from MAIC as evidence, which contained identifiable demographic, insurance, and medical information alongside a follow-up appointment notice for Michigan Avenue Primary Care (MAPC).
Despite multiple attempts by DataBreaches.net to contact MAIC via email between May 16 and May 19, 2022, the organization did not respond; one email was blocked, while others went unanswered. No breach disclosures appeared on MAIC’s or MAPC’s websites, and no regulatory filing with HHS was identified as of the article’s publication. The threat actors, self-identifying as “Targetware Team” and linked to a prior attack on Wyandotte County Unified Government, escalated their outreach by sharing a 2.2 GB sample archive containing additional PHI, including batched insurance claims listing patient names, account numbers, insurance policy details, and service charges. They demanded an unspecified ransom, which MAIC allegedly delayed paying, prompting the attackers to begin selling the data by May 19. Impacts included the exposure of highly sensitive patient data across multiple systems, creating risks of identity theft, medical fraud, and unauthorized disclosure of COVID-19 test results. The prolonged exfiltration period and lack of public response from MAIC left patients uninformed about the compromise for at least five months post-discovery.