Cyber Incident Victim: EmergeOrtho
Date:
May 2022
Location:
United States of America
Summary
A ransomware attack targeted a North Carolina healthcare organization, potentially compromising protected health information of tens of thousands of patients. The entity blocked the attack but confirmed unauthorized access to sensitive data including names, addresses, Social Security numbers, and some dates of birth. Notification counts differed between reports, with initial disclosures indicating 75,200 affected individuals and subsequent federal filings referencing 68,661 patients. The organization's communications specified data access but did not confirm whether information was exfiltrated during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 18, 2022, EmergeOrtho, a North Carolina-based healthcare provider, detected and blocked a ransomware attack targeting its systems. The organization did not disclose whether the attackers successfully encrypted files during the incident or specify the identity of the threat actors. Investigation revealed unauthorized access to protected health information, including patient first and last names, addresses, Social Security numbers, and in some instances, dates of birth. EmergeOrtho's notification letters to affected individuals stated only that data had been "accessed," without confirming whether exfiltration occurred. The organization reported the breach to the Maine Attorney General, initially indicating 75,200 impacted patients.
EmergeOrtho began mailing notification letters to patients in August 2022, more than three months after discovering the incident. A subsequent filing with the U.S. Department of Health and Human Services on August 25 revised the affected patient count downward to 68,661 individuals, creating a discrepancy of 6,539 between the two official reports. The notifications did not disclose whether a ransom demand was received or provide technical details about the attack methodology. No evidence emerged regarding operational disruptions to medical services or systems beyond the confirmed data access. The breach exposed patients to potential identity theft risks due to the compromise of sensitive identifiers, though EmergeOrtho did not report any confirmed misuse of data at the time of disclosure.