Cyber Incident Victim: Premier Kids Care, Inc.
Date:
Apr 2020
Location:
United States of America
Summary
Premier Kids Care, Inc., a Georgia-based provider of specialized pharmacy and clinical services for children, experienced unauthorized access to its systems during a cyberattack. The compromised data included patient names, demographic details, limited treatment information, and health insurance records, though no Social Security numbers or financial data were accessed. The organization notified affected individuals after an eight-month investigation, offering identity protection and credit monitoring services. The total number of impacted patients remains undetermined.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 6, 2020, Premier Kids Care, Inc. (PKC), a Georgia-based provider of specialized pharmacy and home clinical services for children with diabetes, endocrinological, and perinatal needs, discovered it had been targeted by a cyberattack. An unauthorized actor gained access to PKC’s systems, prompting an immediate investigation. The investigation confirmed the attacker obtained personal information stored on a company computer, though no Social Security numbers or financial data were compromised. The exposed information included patient names, their status as PKC patients, dates of birth, addresses, telephone numbers, limited treatment details, and health insurance information. The breach impacted individuals receiving specialized care, though the exact number of affected patients remained unclear as no entry appeared on the U.S. Department of Health and Human Services (HHS) breach portal at the time of reporting. PKC did not publicly disclose the attack vector or whether ransomware was involved, despite media inquiries.
PKC notified affected individuals with current contact information approximately eight months after discovering the breach, issuing public notice on December 5, 2020. The company offered 12 months of credit monitoring and identity protection services, though it provided no explanation for the delay between discovery and notification. Patients who did not receive notifications but suspected their information was compromised were directed to a toll-free support line available weekdays from 9:00 a.m. to 9:00 p.m. EST. The lack of HHS reporting left the scope of the incident undefined, including the total number of patients impacted. PKC did not respond to requests for clarification on the nature of the attack, investigation timeline, or remediation steps beyond the notifications and identity protection offerings. The breach exposed sensitive health and demographic data, creating potential risks for affected families despite the absence of financial identifiers.