Cyber Incident Victim: Florida Springs Surgery Center
Date:
May 2022
Location:
United States of America
Summary
A Florida surgical center experienced a phishing attack compromising an employee's email account, leading to unauthorized access to sensitive patient data. The breach affected 2,203 individuals, potentially exposing personal identifiers, financial details, medical records, and insurance information. The organization notified impacted parties and offered complimentary credit monitoring services in response.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Florida Springs Surgery Center, located in Spring Hill, Florida, experienced a cybersecurity incident between May 25 and June 2, 2022, when an unauthorized third party gained access to patient information through a phishing attack targeting an employee's Microsoft Outlook email account. The breach was disclosed in a news release from the surgical center, which confirmed that 2,203 patients were affected by the compromise. The attackers exploited the phishing scheme to infiltrate the email account, though the specific detection method or timeline leading to the discovery of the breach was not detailed in available reports. Exposed information included highly sensitive personal and medical data such as Social Security numbers, driver's license numbers, financial account details, medical records, insurance information, and billing records. The surgical center did not publicly specify whether the email account contained stored data or served as a gateway to broader network systems, nor did it disclose the exact duration between breach detection and containment.
In response to the incident, Florida Springs Surgery Center initiated a notification process by sending individualized letters to all 2,203 affected patients, outlining the nature of the compromised data and the steps taken following the breach. The center offered free credit monitoring services to impacted individuals as a remedial measure, though the specific duration or terms of this monitoring were not specified in public communications. No evidence suggested ransomware deployment, data encryption, or explicit extortion demands related to the incident. The surgical center's public disclosure did not indicate whether law enforcement was involved in investigating the attack or whether regulatory fines or legal actions resulted from the breach. The incident highlighted risks associated with phishing vulnerabilities in healthcare email systems, particularly given the sensitivity of exposed data categories that could facilitate identity theft or financial fraud. Patient notifications were completed by August 15, 2022, when the surgical center's breach disclosure was reported publicly.