Cyber Incident Victim: Vincera Institute
Date:
Apr 2023
Location:
United States of America
Summary
The Vincera Institute experienced a ransomware attack which impacted several of its associated services. The incident potentially compromised sensitive patient information, including names, contact details, Social Security numbers, dates of birth, medical histories, treatment records, and insurance information. The organization has since notified patients and has undertaken efforts to enhance its security measures while investigating and remediating vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 29, 2023, the Vincera Institute in Philadelphia experienced a ransomware attack. The incident was publicly disclosed by the organization on June 20, 2023, the same date it was officially reported to the U.S. Department of Health and Human Services. The attack impacted multiple associated services operating under the Vincera Institute umbrella. As reported to HHS, Vincera Core Physicians was listed as having 10,000 individuals affected. Vincera Surgery Center reported 5,000 individuals affected. Vincera Rehab also reported 5,000 individuals affected, and Vincera Imaging similarly reported 5,000 individuals affected. This cumulative reporting suggested a potential impact on up to 25,000 patients. However, the Institute acknowledged that because patients may have been seen by more than one of its associated services, the actual total number of unique individuals affected was likely to be considerably lower than the sum of the reported figures.
The investigation into the attack did not conclusively determine whether unauthorized access, exfiltration, or misuse of patient data had occurred. The Institute's public statement did not confirm these actions but also did not rule them out, leaving the possibility open. The types of data that were potentially compromised in the incident were extensive. This included patients' full names and various contact details such as physical addresses, phone numbers, and email addresses. Furthermore, sensitive government-issued identifiers, specifically Social Security numbers, were part of the potentially affected data set. Dates of birth, which are frequently used for verification and are considered sensitive personal information, were also involved.
The scope of the potential data compromise extended deeply into private medical and financial records. Medical history and treatment records were listed among the compromised information, representing a significant breach of patient confidentiality. Insurance information provided by patients to the Institute was also part of the data set exposed during the incident. The Institute stated that the potentially compromised information included any other data a patient may have provided to them, indicating a broad and comprehensive set of personal and medical details was present on the systems impacted by the ransomware attack.
In its response to the incident, the Vincera Institute undertook actions focused on investigation and security enhancement. The organization initiated measures to investigate the full nature and cause of the breach. A key part of the response involved remediating any vulnerabilities that were identified during the post-incident analysis. The Institute also publicly stated that it had enhanced its security measures in the wake of the attack, although the specific nature of these technological or procedural improvements was not detailed in the available public information. The organization did not publicly identify the specific variant or family of ransomware involved in the attack. It also did not disclose whether any patient records or systems were rendered inaccessible or were corrupted by the ransomware encryption process, a common outcome in such attacks.
The primary consequence of the incident was the potential exposure of highly sensitive personal, financial, and medical information belonging to a substantial number of patients. The lack of confirmation regarding data exfiltration did not eliminate the risk of future misuse of the information, as the possibility remained. The incident necessitated a large-scale patient notification process, which was carried out following the completion of the initial investigation. The reporting of the incident as four separate entities to HHS reflects the organizational structure of the Institute's services but also complicates the understanding of the true scale regarding the number of unique individuals impacted. The event disrupted the normal operations of the healthcare provider and required a significant allocation of resources toward its response, including investigation, system remediation, and patient communication efforts.