Cyber Incident Victim: Boulder Neurosurgical and Spine Associates

Boulder Neurosurgical and Spine Associates in Colorado detected unauthorized access to an employee email account on September 21, 2021. The organization immediately secured the compromised account to prevent further unauthorized activity. Third-party cybersecurity experts were engaged to assist with the investigation and forensic analysis of the breach. The investigation involved a comprehensive review of emails and attachments within the affected account to determine the scope of exposed information. While the analysis confirmed that protected health information (PHI) had been exposed, investigators could not definitively establish whether the unauthorized actor had viewed or exfiltrated any data during the breach window. The compromised data included patient names, dates of birth, and medical records, but notably excluded residential addresses and Social Security numbers based on the forensic examination.

The breach impacted 21,450 individuals whose PHI was present in the email account at the time of unauthorized access. Boulder Neurosurgical reported the incident to the U.S. Department of Health and Human Services' Office for Civil Rights in accordance with regulatory requirements. No evidence emerged suggesting actual misuse of the exposed PHI following the containment of the breach. The organization did not publicly disclose whether multi-factor authentication or other specific security controls were in place on the compromised email account prior to the incident. The forensic review provided sufficient detail about the nature of the exposed data categories to fulfill notification obligations to affected individuals and regulators.