Cyber Incident Victim: XYZ Corp
Date:
Aug 2021
Location:
United States of America
Summary
A healthcare technology services provider experienced a breach when an attacker compromised a patient portal and exfiltrated files containing sensitive patient information, including names, addresses, Social Security numbers, dates of birth, medical diagnoses, and treatment details. The incident impacted over 319,000 individuals initially, with subsequent ransomware actors claiming responsibility and an additional entity reporting exposure of approximately 6,000 patient records. The compromised data also potentially included Medicaid IDs and portal usernames, though the attack was contained to specific systems without affecting other client infrastructures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 26, 2021, healthcare technology services company QRS, Inc. detected unauthorized access to a client’s patient portal server. The attacker exfiltrated files from this specific server during the breach. QRS confirmed the compromise was isolated to this single client’s system and did not affect other QRS infrastructure or additional clients. The company identified the intrusion within three days of its occurrence. Exposed data varied by individual but potentially included names, addresses, dates of birth, Social Security numbers, patient identification numbers, portal usernames, and medical treatment or diagnosis details. QRS issued a formal notification detailing the scope of accessed information and emphasized that no other systems were compromised. The incident was reported to the U.S. Department of Health and Human Services as impacting 319,788 patients.
On November 30, 2021, the Snatch ransomware group claimed responsibility for the attack on their dedicated leak site. Around the same timeframe, Gregory Brewer, MD PLLC separately reported that 6,027 of their patients were affected by the incident. It remained unclear whether this figure was included in QRS’s original HHS submission or represented an additional cohort. No further technical details regarding the attack vector, containment measures, or forensic findings were disclosed in available sources. The breach exclusively involved structured health and identification data from the compromised patient portal, with no evidence of broader operational disruption to QRS or its clients beyond the exfiltrated files.