Cyber Incident Victim: CareNet Medical Group

CareNet Medical Group, PC (“CMG”), a women’s healthcare provider based in Schenectady, New York, experienced a cyberattack that compromised sensitive patient data between May 9, 2022, and June 4, 2022. The breach was not immediately detected, with CMG’s investigation later confirming unauthorized network access and data exfiltration during this period. The company secured its systems upon discovering the intrusion and engaged cybersecurity professionals to investigate the incident. On April 26, 2023, nearly a year after the attack window, CMG verified that an unauthorized party had removed files containing confidential patient information from its network. The delayed discovery highlights the operational challenges in identifying and containing such breaches. CMG subsequently conducted a review of the compromised files to determine the scope of impacted individuals and the specific data exposed.

The compromised data included patients’ full names, Social Security numbers, addresses, driver’s license numbers, bank account and routing numbers, dates of birth, medical reference numbers, Medicare numbers, cell and home phone numbers, health insurance information, and email addresses. On June 2, 2023, CMG filed a formal notice with the Vermont Attorney General and issued individualized breach notification letters to affected patients. The company also published a “Notice of Data Security Incident” on its website to inform the public. Established in 1983, CMG operates two facilities in Schenectady and Clifton Park, offering OB/GYN services, fertility treatments, and gynecological surgeries to patients in New York’s Capital District. With over 25 employees and approximately $6 million in annual revenue, the breach underscores the targeting of healthcare providers for their repositories of sensitive personal and medical data. The incident exposed patients to heightened risks of identity theft and financial fraud due to the breadth of compromised identifiers.