Cyber Incident Victim: Advanced Urgent Care of the Florida Keys
Date:
Mar 2020
Location:
United States of America
Summary
Advanced Urgent Care of the Florida Keys suffered a ransomware attack resulting in the exfiltration and public release of sensitive patient data after refusing to pay the attackers. Over 14,000 patients' personal and medical information was compromised, including names, contact details, billing records, insurance specifics, diagnosis descriptions, CPT codes, and scanned documents such as Medicare cards containing Social Security numbers. The stolen data, which also included medical histories and handwritten clinical notes, was freely distributed on a Russian-language cybercrime forum and a file-sharing platform. The clinic did not publicly acknowledge the incident or respond to inquiries about the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early March 2020, Advanced Urgent Care of the Florida Keys suffered a cyberattack resulting in the unauthorized access and public exposure of sensitive patient data. Attackers exfiltrated information from the clinic's systems on or around March 1, subsequently posting over 14,000 patients' records on a Russian-language cybercrime forum under a thread titled "Malicious Defaulters." The threat actor claimed the clinic refused payment demands, suggesting a possible ransomware component, though the Maze ransomware group explicitly denied responsibility when queried. The compromised data appeared on a popular file-sharing platform and included extensive protected health information: patient names, phone numbers, email addresses, medical record numbers, insurance details, diagnosis descriptions in plain text, CPT codes, co-pay statuses, and billing histories. Numerous scanned documents contained Medicare cards (some displaying Social Security numbers when used as account identifiers), handwritten clinical notes, patient registration forms, medical histories, and reasons for visits. Particularly sensitive exposures included treatment codes, healthcare provider comments, and complete insurance policy numbers.
The clinic did not publicly acknowledge the breach or respond to multiple inquiries from journalists regarding the incident. Forensic evidence from file timestamps indicated data extraction occurred approximately three weeks before initial media reporting. With no official statement from the organization, confirmation of containment measures or system restoration remained undocumented in available sources. The exposed data created significant risks of medical identity theft and financial fraud due to the combination of health information, insurance details, and personally identifiable information. At the time of reporting, no breach notification appeared on the clinic's website or through HHS's public disclosure portal, leaving patients without formal guidance about potential compromises to their sensitive data. The public dump's availability on mainstream file-sharing services increased likelihood of widespread access to the stolen records.