Cyber Incident Victim: Susan M. Hughes Center

On August 30, 2016, the Susan M. Hughes Center, a cosmetic surgery and medical spa operating in New Jersey and Pennsylvania, detected a ransomware attack compromising its computer systems. The organization immediately initiated an investigation, reset system passwords, disconnected the affected server from the network, and restored operations using backup data. A third-party forensic firm was engaged to assist in determining the scope and nature of the breach. The investigation confirmed that an unauthorized actor had remotely accessed a server containing patient information, though no evidence suggested data misuse or exfiltration. Compromised files potentially included patient names, telephone numbers, dates of service, types of medical services or treatments received, and payment amounts. The incident impacted 11,400 individuals but did not involve Social Security numbers, financial account details, or clinical records based on disclosed information.

The organization reported the incident to the U.S. Department of Health and Human Services (HHS) on December 27, 2016, and began mailing notification letters to affected patients the same day. A dedicated call center (1-866-263-4159) was established to address patient inquiries, operating weekdays from 9 a.m. to 7 p.m. Eastern Time. Patients were advised to contact the center if they believed they were impacted but had not received a letter by January 14, 2017. The Hughes Center publicly emphasized its commitment to patient privacy and stated it was implementing enhanced security measures with a specialized firm to prevent future incidents. No ransomware payment details or specific technical vulnerabilities were disclosed in the public statement. The four-month gap between breach discovery and patient notifications drew external scrutiny regarding compliance with timely disclosure requirements under health privacy regulations.