Cyber Incident Victim: Complete Chiropractic & Bodywork Therapies
Date:
Nov 2015
Location:
United States of America
Summary
A Michigan-based healthcare provider experienced unauthorized access to its server due to malware, potentially compromising personal and protected health information of 4,082 patients, including names, dates of birth, Social Security numbers, addresses, and medical diagnoses. The intrusion was detected following a server malfunction, prompting immediate isolation of the system, password resets, and implementation of enhanced security measures such as an additional firewall. Forensic investigation revealed the malware typically scans for login credentials, with initial unauthorized access occurring months prior. While no evidence confirmed data exfiltration or misuse, the organization notified affected individuals and offered complimentary identity theft protection services. The provider also engaged new IT specialists with HIPAA compliance expertise to strengthen safeguards.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Complete Chiropractic & Bodywork Therapies (CCBT) discovered a server malfunction on March 19, 2016, prompting an immediate investigation into potential unauthorized access. The Michigan-based chiropractic practice disconnected the compromised server from the internet upon detection, changed all workstation and vendor passwords, and implemented an additional external firewall to monitor network traffic. Forensic experts engaged by CCBT determined that malware had infected the system, with the first unauthorized access occurring on November 19, 2015. The malware was identified as a type designed to scan for login credentials and password information. The affected server stored patient treatment records, billing data, and encrypted electronic medical records containing protected health information including names, dates of birth, addresses, Social Security numbers, and health/diagnosis details. CCBT maintained that while unauthorized access occurred through the malware, their investigation found no evidence that patient data was actually exfiltrated or misused. The incident potentially impacted 4,082 patients whose information resided on the server during the four-month exposure period from November 2015 to March 2016.
CCBT initiated patient notifications following the forensic investigation, disclosing the security incident despite the absence of confirmed data misuse. The practice offered affected individuals one year of complimentary identity theft protection services through LifeLock and provided specific recommendations for monitoring credit reports and financial accounts. Organizational responses included hiring new IT professionals with specialized HIPAA compliance experience to overhaul security protocols. CCBT implemented enhanced safeguards beyond their existing measures, though specific technical details of these improvements were not publicly disclosed. The incident notification emphasized that protected health information remained subject to both federal HIPAA regulations and Michigan state law protections. CCBT expressed regret for the breach and established a dedicated telephone line ((800) 426-0580) for patient inquiries regarding the incident. No ransomware demands, extortion attempts, or fraudulent activity tied to the compromised data were reported in relation to this event.