Cyber Incident Victim: Optima Dermatology
Date:
Aug 2021
Location:
United States of America
Summary
An unauthorized party accessed an employee email account at Optima Dermatology over several days, potentially exposing protected health information including full names, dates of birth, medical treatment details, health insurance data, and medical record numbers for certain individuals. The organization secured the account promptly, conducted forensic investigations, and confirmed no compromise of Social Security numbers, driver’s license details, or financial payment information. While there is no evidence of actual or attempted misuse of the affected data, notification letters were sent to impacted individuals with guidance on monitoring their health insurance statements. Additional security measures were implemented following the incident to prevent future occurrences.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
An unauthorized party gained access to an employee email account at Optima Dermatology between August 30, 2021, and September 2, 2021. The organization discovered this security incident during an investigation that began after initial detection, though the exact date of initial detection remains unspecified in public disclosures. Optima Dermatology secured the compromised email account immediately upon learning of the breach and initiated a forensic investigation to determine the scope. The investigation concluded on February 17, 2022, confirming that protected health information was present in the accessed email account during the intrusion window. Affected data included full names, dates of birth, medical treatment details, health conditions, health insurance claims information, policy/subscriber numbers, and medical record numbers. The incident impacted patients affiliated with Optima Dermatology's brands, including The Dermatology Center of Indiana and Advanced Dermatology & Skin Cancer Center, though not all patients were affected and not all data categories applied uniformly across individuals.
Optima Dermatology formally notified potentially impacted individuals about the breach on April 18, 2022, approximately eight months after the initial intrusion and two months after completing their investigation. The notification clarified that Social Security numbers, driver's license numbers, and financial account or payment card information were not involved in the incident. While no evidence indicated actual or attempted misuse of the exposed health information, the organization provided guidance to affected individuals on reviewing insurance statements for unrecognized services. Internal response measures included collaboration with the IT department to implement additional security controls aimed at preventing similar future breaches. A dedicated toll-free response line (844-978-4460) operated during Eastern Time business hours was established for verification of impact status and incident-related inquiries. The organization maintained that the breach did not compromise all patient records and emphasized ongoing commitment to information security without specifying the exact number of affected individuals or technical details of the implemented safeguards.