Cyber Incident Victim: Lakeshore Bone & Joint Institute

On July 7, 2021, Lakeshore Bone & Joint Institute, an Indiana-based orthopedic practice, detected unusual activity within an employee’s Microsoft Office 365 email account. The organization immediately implemented measures to block further unauthorized access and engaged a cybersecurity and digital forensics firm to investigate the incident. The forensic investigation confirmed that an unauthorized actor had compromised a single employee email account, though the specific method of initial access was not disclosed. The compromised account contained emails and attachments with protected health information (PHI), prompting a comprehensive review of the account’s contents to determine the scope of exposed data. This review concluded on October 21, 2021, confirming that the attacker potentially accessed or acquired patient information including dates of birth, treatment details, diagnoses, provider names, medical record numbers, health insurance data, treatment cost information, and Social Security numbers for a subset of individuals.

The breach impacted 23,627 individuals, as reported to the Maine attorney general. Lakeshore Bone & Joint Institute initiated notifications to affected patients, specifying the types of exposed data based on the forensic review. For individuals whose Social Security numbers were compromised, the practice offered a complimentary 12-month membership to identity theft monitoring services. The incident did not disrupt clinical operations, as the compromise was confined to a single email account rather than broader network systems. No ransomware deployment or encryption of files was reported, distinguishing it from contemporaneous attacks like the one at Putnam County Memorial Hospital mentioned in the same article. The organization’s public disclosure emphasized remediation steps taken with external cybersecurity experts but did not detail specific technical safeguards implemented post-breach.