Cyber Incident Victim: Stroke Scan, Inc.
Date:
Jan 2023
Location:
United States of America
Summary
A healthcare provider specializing in ultrasound screenings suffered a data breach exposing protected health information of approximately 50,000 consumers. Unauthorized access to the company's network compromised sensitive data, including medical histories, test results, and insurance details, prompting notification to federal health authorities and affected individuals. The incident likely involved protected health information given the mandatory reporting to health regulators, with breach notifications distributed to impacted parties following confirmation of the data exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 27, 2023, Stroke Scan Inc., a Texas-based healthcare provider specializing in ultrasound screenings, filed a formal notice with the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) disclosing a data breach affecting approximately 50,000 consumers. The company initiated this mandatory reporting after determining that unauthorized parties had accessed confidential consumer information stored on its computer network. Stroke Scan concluded that the incident likely resulted in the exposure of protected health information (PHI), which includes demographic details, medical histories, test results, mental health records, and insurance information collected during patient screenings. This determination triggered the company's obligation to notify HHS-OCR under federal health data protection regulations. On the same date as the regulatory filing, Stroke Scan began distributing individual data breach notification letters to all affected consumers, though the company did not publish any public statements about the incident on its corporate website at the time of reporting. The HHS-OCR breach report contained limited technical details about the intrusion method, compromised systems, or forensic timeline, with no disclosure of when the breach was initially detected or how long unauthorized access persisted before containment.
Stroke Scan, founded in 2001 and headquartered in Katy, Texas, provides mobile ultrasound screening services to corporate clients, school districts, religious organizations, and community groups across the United States. The company employs over 30 ultrasound technicians who conduct preventive health screenings and refer patients to primary care providers when abnormalities are detected, generating approximately $10 million in annual revenue. The breach notification confirmed the compromise of sensitive health data but did not specify whether financial information or Social Security numbers were exposed. The incident's impact stemmed from the exposure of PHI, which carries elevated risks of medical identity theft and insurance fraud compared to standard personal data. Stroke Scan's notification letters provided affected individuals with confirmation of their involvement in the breach but did not detail any specific remediation services offered beyond recommending vigilance against potential fraud. The company's regulatory filing established the breach as a reportable HIPAA-covered incident, though the absence of supplementary public documentation left the full scope of compromised systems, attacker methodologies, and containment measures undisclosed in initial reports.