Cyber Incident Victim: Bako Diagnostics
Date:
Dec 2021
Location:
United States of America
Summary
Bako Diagnostics, a Georgia-based laboratory services provider, suffered a cyberattack involving unauthorized network access and data exfiltration, compromising protected health information such as patient names, contact details, health insurance data, medical records, and financial information. The breach affected 25,745 individuals, leading to enhanced security measures, system hardening, and complimentary credit monitoring for those with exposed sensitive identifiers like Social Security numbers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Bako Diagnostics, a Georgia-based provider of laboratory services, discovered a cyberattack on December 28, 2021. The subsequent investigation confirmed unauthorized actors accessed its network and exfiltrated data during a seven-day period from December 21 to December 28, 2021. The compromised files contained protected health information of patients, including names combined with one or more of the following identifiers: dates of birth, addresses, telephone numbers, email addresses, health insurance details, medical record numbers, dates of service, provider and facility names, specimen/test information, billing and claims data, and financial account information. The forensic review did not specify whether clinical results or diagnostic reports were among the exfiltrated materials but confirmed the theft of administrative and financial records. The attack vector and initial access method remained undisclosed in public reporting, though the intrusion timeframe suggested possible holiday-period exploitation when security monitoring might have been reduced. No ransomware deployment or encryption activity was mentioned, distinguishing this incident as a data exfiltration event rather than a ransomware attack affecting operational continuity.
In response to the breach, Bako Diagnostics implemented enhanced security measures including system hardening, improved monitoring capabilities, and infrastructure upgrades to prevent future incidents. The organization offered complimentary credit monitoring services specifically to individuals whose Social Security numbers, driver's licenses, state identification numbers, or financial account details were potentially compromised, indicating tiered notification based on sensitivity of exposed data. The company reported the incident to the HHS Office for Civil Rights as affecting 25,745 individuals, though the notification did not specify whether this figure included only patients or also encompassed employees or other affected parties. No evidence of data misuse was reported at the time of disclosure, though the presence of financial information in the exfiltrated datasets created elevated identity theft risks. The breach notification timeline showed a two-month gap between discovery on December 28 and regulatory reporting to HHS, consistent with forensic investigation requirements under HIPAA's 60-day reporting rule.