Cyber Incident Victim: Physicians Dialysis
Date:
Mar 2021
Location:
United States of America
Summary
Physicians Dialysis experienced a data security incident involving unauthorized access to a database containing personal and protected health information of certain current and former patients and employees. Upon discovering unusual activity in its digital environment, the organization engaged cybersecurity experts to investigate, confirming that compromised data included names, addresses, dates of birth, Social Security numbers, medical details, and health insurance information. Notification letters were distributed to potentially affected individuals, accompanied by complimentary credit monitoring services for those with exposed Social Security numbers. The incident was reported to law enforcement, and additional security measures were implemented to prevent future breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 21, 2021, Physicians Dialysis, a healthcare provider based in Miami Beach, Florida, detected unusual activity within its digital environment. The organization immediately initiated an investigation and enlisted independent cybersecurity experts to assist in determining the nature and scope of the incident. The forensic investigation revealed evidence of unauthorized access to one of the company's databases. Physicians Dialysis conducted a comprehensive review of the compromised database in coordination with cybersecurity professionals to identify whether protected health information (PHI) or personal data was exposed. This analysis confirmed that the database contained sensitive information belonging to certain current and former patients and employees. The types of data potentially accessed included full names, physical addresses, dates of birth, Social Security numbers, medical treatment details, and health insurance or claims information. The organization dedicated significant effort to identify all affected individuals and validate their contact details, completing this verification process on June 22, 2021. The incident exposed vulnerabilities in the company's data storage systems, though no specific technical details about the attack vector or duration of unauthorized access were disclosed publicly.
Physicians Dialysis formally notified potentially impacted individuals through mailed letters on June 25, 2021, approximately three months after initial detection. These notifications described the incident's nature and outlined steps individuals could take to protect themselves from potential misuse of their information. The organization established a dedicated toll-free call center (1-833-903-3648) operating Monday through Friday during Eastern Time business hours to address inquiries and concerns. For individuals whose Social Security numbers were confirmed as exposed, Physicians Dialysis arranged complimentary credit monitoring and identity protection services through IDX, requiring affected parties to verify eligibility through the call center. Internally, the company implemented additional security measures to strengthen its digital environment against future incidents, though specific technical enhancements were not detailed in public communications. Physicians Dialysis also reported the breach to the Federal Bureau of Investigation and committed to cooperating with law enforcement efforts to identify and prosecute those responsible. The incident disrupted normal operations during the investigation period and necessitated significant resource allocation for forensic analysis, regulatory compliance, and consumer support services. No information was provided regarding the total number of affected individuals or whether ransomware or data exfiltration demands were involved in the attack.