Cyber Incident Victim: VPN Solutions

On or around October 31, 2021, Virtual Private Network Solutions (VPN Solutions) discovered a cyberattack affecting systems it managed for Arlington Skin, a medical practice operated by Dr. Michelle A. Rivera in Virginia. VPN Solutions served as a business associate responsible for managing Arlington Skin's electronic medical records through the Allscripts practice management solution and electronic medical records platform. Following the detection of unauthorized access, VPN Solutions initiated a forensic investigation to determine the nature and scope of the security incident. The investigation confirmed that unauthorized individuals potentially accessed protected health information of Arlington Skin patients during the breach window. The compromised data categories included patient names, addresses, dates of birth, diagnostic and treatment information, health insurance details, and Social Security numbers. No forensic evidence confirmed actual data exfiltration or theft from the systems.

The forensic review concluded that 17,468 Arlington Skin patients had their information exposed in the incident. Notification letters detailing the breach were mailed to affected individuals beginning July 8, 2022—approximately eight months after the attack's discovery. Although investigators found no proof that attacker accessed or misused patient data, VPN Solutions and Arlington Skin provided complimentary fraud assistance and identity remediation services through CyberScout as a precautionary measure. The breach notification process occurred separately from a larger unrelated incident involving First Choice Community Healthcare, which VPN Solutions was not associated with. Arlington Skin's breach disclosure occurred through substitute notices coordinated with federal reporting requirements, with no additional operational disruptions or secondary attacks reported in the source material.