Cyber Incident Victim: Country Doctor Community Health Clinic
Date:
Sep 2022
Location:
United States of America
Summary
Country Doctor Community Clinic experienced a hacking incident that compromised sensitive data of 38,751 individuals, prompting an official breach notification to federal health authorities. The Seattle-based healthcare provider, operating multiple clinics offering primary care and specialized services, disclosed the unauthorized access but did not file notices with state governments or post public website advisories. Affected individuals received direct notifications about the exposure of their personal information, which risks identity theft and fraud. The breach investigation remains ongoing with limited public details beyond its classification as an IT security failure impacting patient data under the organization's care.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 16, 2022, Country Doctor Community Clinic (CDCC) filed an official notice with the U.S. Department of Health and Human Services Office for Civil Rights disclosing a data breach resulting from a hacking/IT incident. The breach compromised sensitive consumer data entrusted to the Seattle-based healthcare provider, affecting 38,751 individuals. CDCC initiated notification procedures on the same day by mailing data breach letters to all impacted parties. These letters informed recipients about the exposure of their personal information and provided guidance on protecting themselves from identity theft and fraud. The organization’s filing with federal regulators did not specify the exact timeline of the cyberattack, the methods used by threat actors, or the types of data exfiltrated beyond classifying it as sensitive consumer information. No evidence indicated that CDCC had issued breach notifications to state governments or published a security notice on its corporate website as of the reporting date, despite the breach’s scale potentially triggering state-level disclosure requirements in jurisdictions with affected residents.
Country Doctor Community Clinic, founded in 1971, operates multiple healthcare facilities in Seattle, including the Carolyn Downs Medical Center, Dental Clinic, and After Hours Clinic, offering primary care, diabetes management, substance abuse treatment, behavioral health services, and dental care. The organization employs over 193 staff and generates approximately $18 million in annual revenue. The breach exposed vulnerabilities in CDCC’s data security infrastructure, though the filing did not describe compromised systems, containment measures, or forensic investigation outcomes. The incident’s confirmed consequences included the unauthorized access to protected health information of nearly 39,000 patients, creating risks of identity theft and financial fraud. CDCC’s response focused on regulatory compliance through the HHS filing and direct consumer notifications but did not publicly disclose remediation steps, technical mitigations, or third-party involvement in incident resolution. The lack of detailed public reporting left uncertainties regarding the attack’s duration, root cause, and full impact on clinical operations or data integrity.