Cyber Incident Victim: Northeast Surgical Group

On January 8, 2023, Northeast Surgical Group (NESG) detected suspicious activity within its network environment. The organization immediately engaged a law firm specializing in cybersecurity and data privacy to investigate, alongside third-party forensic specialists. The investigation, concluded on February 13, determined that an unauthorized party accessed personal information including names, addresses, Social Security numbers, and—for some individuals—dates of birth and medical or treatment information. NESG did not specify whether the incident involved ransomware encryption, data exfiltration without encryption, or any ransom demands. The BianLian ransomware group listed an unnamed medical group on its dark web leak site in January 2023 and later posted a teaser on BreachForums in February. DataBreaches.net identified NESG as the victim through corroborating evidence but received no response to multiple inquiries sent via NESG’s website contact form and LinkedIn between January 28 and February 17.

NESG notified 15,298 affected patients and the U.S. Department of Health and Human Services (HHS) on or around March 6, 2023. Its notification letter stated there was no evidence of actual or future misuse of the exposed data, despite BianLian’s confirmed leaks of NESG data on both clearnet and dark web platforms by early February. The letter omitted any reference to the public availability of the stolen protected health information (PHI) and did not acknowledge the ransomware group’s involvement. Patients were offered complimentary credit monitoring services, though NESG’s delayed disclosure limited early opportunities for individuals to implement protective measures. The organization maintained silence toward media inquiries, leaving unresolved questions about the attack’s technical mechanisms, whether BianLian issued a ransom demand, and NESG’s decision-making in handling the breach.