Cyber Incident Victim: Orthopedic Associates of Dutchess County
Date:
Mar 2021
Location:
United States of America
Summary
Orthopedic Associates of Dutchess County experienced a cybersecurity incident involving unauthorized access to its systems, during which an attacker encrypted files and claimed to have exfiltrated or viewed sensitive patient data. The compromised information included names, addresses, Social Security numbers, medical diagnoses, insurance details, payment information, and treatment records, impacting over 331,000 individuals. The organization initiated notifications to affected patients and offered complimentary identity and credit monitoring services for twelve months, though specifics regarding ransom demands or payments were not disclosed in their communications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 5, 2021, Orthopedic Associates of Dutchess County (OADC) in New York detected suspicious activity within its systems. The organization initiated an investigation, which determined that an unauthorized actor had gained access to certain OADC systems on or around March 1, 2021. The threat actor encrypted files and subsequently claimed to have removed and/or viewed specific data. Gina Sleeper, OADC's Chief Executive Officer, confirmed in a notification letter that the attacker provided some files as evidence of their access, though the letter did not disclose whether a ransom demand was made or if any payment occurred. The breach investigation did not publicly identify the specific systems compromised or the exact methods used by the attacker to infiltrate the network. OADC did not report whether the encrypted files were recovered or if business operations were disrupted during the incident. The organization's public disclosure focused on the unauthorized access and exfiltration claims rather than operational impacts.
The compromised data included patients' names, addresses, telephone numbers, email addresses, emergency contacts, guarantor details, patient identification numbers, medical record numbers, diagnosis information, health insurance numbers and related policy details, payment information, dates of birth, Social Security numbers, and treatment records. OADC began mailing notification letters to 331,376 affected patients starting March 4, 2021, three days after discovering the breach. The notifications offered recipients 12 months of complimentary identity and credit monitoring services. No additional remediation measures or financial compensation beyond the monitoring were detailed in the public report. The organization did not specify whether law enforcement was involved in the investigation or if regulatory penalties resulted from the incident. Patient treatment services continued without reported interruptions following the breach disclosure.