Cyber Incident Victim: SuperCare Health

SuperCare Health, a California-based home respiratory care provider, detected unauthorized activity within its systems on July 27, 2021. Subsequent investigation revealed the activity commenced four days earlier, on July 23, 2021. The organization did not publicly disclose the specific intrusion method or whether data exfiltration occurred during this period. In March 2022, SuperCare formally notified the California Attorney General’s Office regarding the security incident, complying with state breach reporting requirements. The compromised information included extensive patient details: full names, physical addresses, dates of birth, medical record numbers, account numbers, hospital/medical group affiliations, health insurance policy details, diagnostic/treatment records, and claims-related data. This dataset exposed affected individuals to potential identity theft, medical fraud, and insurance-related exploitation risks due to the sensitivity of health and financial information involved.

On March 25, 2022, SuperCare issued breach notifications to 318,379 impacted patients, nearly eight months after initial detection. The notification letter emphasized no evidence of data misuse or public dissemination had been identified as of the mailing date. The company’s public website notice mirrored this assertion but omitted critical details regarding the attack’s nature—specifically declining to confirm whether ransomware was deployed, whether systems were encrypted, or whether attackers issued ransom demands. DataBreaches.net submitted inquiries to SuperCare seeking clarification on these technical specifics, but no response was documented in the available source material. The absence of confirmed exfiltration details left uncertainty regarding whether threat actors retained copies of the patient data despite SuperCare’s reassurances about non-disclosure.