Cyber Incident Victim: North Alabama Bone & Joint Clinic, P.C.

On March 9, 2022, North Alabama Bone & Joint Clinic, P.C. (NABJC) detected suspicious activity within its network systems, prompting an immediate investigation. The clinic confirmed on the same day that unauthorized parties had gained access to certain employee email accounts. NABJC initiated a forensic investigation to determine the nature and scope of the breach but had not yet concluded this process at the time of their public disclosure. The clinic did not specify how the intrusion was detected or whether any security systems alerted them to the compromise. No evidence was presented regarding the duration of unauthorized access prior to detection or whether attackers exfiltrated data beyond email account contents. The organization acknowledged the incident could involve patient information but emphasized the investigation remained active to identify affected individuals and specific data exposures.

NABJC's preliminary assessment indicated compromised information could include names, contact details, financial data, dates of birth, family information, medical record numbers, prescription details, diagnosis and treatment histories, and health insurance information. The clinic stated impacted data would vary by individual but did not quantify the number of potentially affected patients or employees. No ransomware deployment or system encryption was mentioned in available reports. NABJC committed to issuing notification letters to affected parties once the investigation conclusively determined whose information was exposed, though no timeline was provided for this process. The clinic did not disclose whether law enforcement was involved or if third-party cybersecurity firms assisted in containment and remediation efforts. Patient services appeared to continue without reported operational disruptions following the incident detection.