Cyber Incident Victim: AffordaCare Urgent Care Clinic
Date:
Feb 2020
Location:
United States of America
Summary
AffordaCare Urgent Care Clinic experienced a cyberattack by Maze Team involving ransomware and data exfiltration, with over 40 GB of sensitive information stolen including protected health information and employee records. The attackers leaked samples of patient data—such as full names, Social Security numbers, dates of birth, medical histories, treatment codes, insurance details, and payroll documents—after the clinic refused ransom demands. Initially denying Social Security number exposure, the organization later revised its statement to acknowledge potential compromise of this data alongside diagnosis codes and other medical information. The clinic did not promptly disclose the breach to patients or regulators and remained unresponsive to inquiries despite public evidence of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 1, 2020, AffordaCare Urgent Care Clinic, a Texas-based network of urgent care centers operating in Abilene, Early, Stephenville, Wichita Falls, and Big Spring, suffered a cyberattack attributed to the Maze Team ransomware group. The attackers claimed to have exfiltrated over 40 GB of data containing protected health information (PHI) and other sensitive records. When AffordaCare refused to pay the ransom demand for a decryption key and to prevent public data disclosure, Maze Team listed the clinic on its victim shaming website. The group provided samples of stolen data, which included patient insurance claim forms, workers' compensation documents, employee payroll records (such as W-4 forms), and patient visit records. Exposed patient information encompassed full names, Social Security numbers, dates of birth, diagnosis and treatment codes, addresses, phone numbers, medical histories, billing details, and insurance policy information. Employee data such as payroll information was also compromised. Maze Team’s data dump revealed variability in exposed data elements across individuals, with not all patients affected uniformly.
AffordaCare did not initially acknowledge the breach publicly or respond to media inquiries, continuing routine social media updates without disclosure. No breach notification appeared on its website or the U.S. Department of Health and Human Services (HHS) breach portal by March 14, 2020. On March 31, the clinic issued notification letters to patients asserting Social Security numbers were not compromised, a claim contradicted by DataBreaches.net’s analysis of Maze Team’s published samples and external cybersecurity firm Emisoft’s observations. Following this discrepancy, AffordaCare revised its statement on April 3, admitting the breach potentially involved Social Security numbers, diagnosis codes, medical histories, and other PHI alongside previously confirmed data types. The clinic stated it was still investigating the full scope of impacted information. As of the article’s latest update, no HHS breach entry with victim or record counts had been published. The incident exposed sensitive data from multiple clinic locations, potentially affecting thousands of patients, with no confirmed containment measures or forensic findings disclosed by the clinic.