Cyber Incident Victim: New Creation Counseling Center
Date:
Feb 2022
Location:
United States of America
Summary
New Creation Counseling Center experienced a cybersecurity incident involving unauthorized access to its systems, potentially compromising the personal information of 24,029 individuals. The breach was disclosed alongside other unrelated incidents but no specific details regarding data types, breach methods, or remediation steps were provided in the available reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Smile Brands, a dental support organization, experienced a significant ransomware attack on April 24, 2021, resulting in unauthorized access to its systems containing sensitive personal and health information. The attackers compromised data including names, addresses, birth dates, Social Security numbers, financial details, phone numbers, health records, and government-issued identification numbers. The company initially reported the breach to the Office for Civil Rights (OCR) in June 2021, estimating only 1,200 affected individuals. This figure was revised upward to 199,683 individuals in subsequent reporting before a final update in 2022 revealed the full scope of 2,592,494 impacted persons. Notifications to affected individuals occurred in three waves—September 2021, January 2022, and February 2022—with Maine's Attorney General Office publicly listing the incident as one of 2021's largest breaches. Smile Brands stated it promptly terminated unauthorized access upon detection and initiated an investigation, though forensic evidence confirmed the attackers exfiltrated some data. As remediation, the organization offered 12 months of complimentary credit monitoring services to victims but did not disclose whether ransom payments were made or specify technical containment measures.
The same article referenced separate unauthorized access incidents at New Creation Counseling Center (NCCC) in Ohio impacting 24,029 individuals and Illinois Gastroenterology Group (IGG), though no details regarding attack vectors, timelines, data types, or response actions were provided for these secondary cases. For the Smile Brands incident, the nearly 13-fold increase in reported victims between initial and final disclosures highlighted challenges in breach assessment, while the multi-phase notification process suggested evolving understanding of compromised records over nine months. The inclusion of financial information and government IDs in the stolen data elevated risks of identity theft and financial fraud beyond typical health information exposures. No information was available regarding operational disruptions, regulatory penalties, or long-term impacts on affected individuals.