Cyber Incident Victim: Community Surgical Supply

On October 5, 2021, Community Surgical Supply Inc. (CSS) discovered a cybersecurity incident when employees identified unauthorized encryption of certain company files. The Toms River, New Jersey-based medical supply manufacturer and retailer immediately secured its network and engaged cybersecurity professionals to investigate the scope and origin of the breach. The investigation confirmed on July 1, 2022, that an unauthorized actor had accessed portions of CSS's network and obtained sensitive consumer data. The compromised information included names, addresses, driver's license numbers, government identification numbers, passport numbers, Social Security numbers, and dates of birth belonging to 66,115 individuals. CSS initiated a comprehensive review of affected files to identify impacted consumers and determine the specific data elements exposed in each case.

Following the completion of its forensic review, CSS began mailing data breach notification letters to affected individuals on July 29, 2022. The company reported the incident to relevant state government entities as required by data breach notification laws. While CSS did not explicitly confirm the attack methodology, the presence of file encryption suggested potential ransomware involvement, though no evidence indicated whether ransom demands were made or paid. The breach exposed highly sensitive personal identifiers that could facilitate identity theft or financial fraud against affected patients and healthcare professionals. As a 60-year-old organization with 775 employees and $226 million annual revenue, CSS faced operational disruption during its network security remediation efforts but maintained service delivery of respiratory, enteral nutrition, sleep, and infusion therapy products throughout the incident response period.