Cyber Incident Victim: Jefferson Surgical Clinic

On June 5, 2021, Jefferson Surgical Clinic detected a cybersecurity attack involving an unauthorized third-party attempt to infiltrate its computer network. The clinic, based in Virginia, immediately notified the Federal Bureau of Investigation (FBI) and initiated a coordinated response. This included engaging external cybersecurity and legal specialists, including a law firm with data privacy expertise and third-party forensic investigators, to assess the incident. The investigation, which concluded months later, determined that an unknown unauthorized party potentially accessed sensitive protected health information. The compromised data included patient names, dates of birth, Social Security numbers, and health or treatment information. No evidence of data exfiltration, encryption, or ransom demands was disclosed in the clinic’s public statements or notification letter.

The clinic delayed patient notifications until January 2022, approximately seven months after detecting the breach. On January 6, 2022, it formally reported the incident to the Maine Attorney General’s Office, disclosing that 174,769 individuals were affected. A notification letter was posted on the clinic’s website, though the report did not clarify whether impacted individuals were exclusively patients or included employees or contractors. Affected parties were offered credit monitoring services as remediation. The clinic did not cite law enforcement requests or exceptional circumstances to justify the notification delay, nor did it confirm whether data encryption was in place prior to the breach. Independent inquiries by media outlets seeking clarification on encryption status, data exfiltration, or ransom demands received no immediate response from the clinic’s IT management team.