Cyber Incident Victim: Cardiovascular Consultants Ltd.
Date:
Sep 2023
Location:
United States of America
Summary
Cardiovascular Consultants Ltd. experienced a cybersecurity incident involving unauthorized system access, data encryption, and theft of sensitive information from its electronic medical records and data warehouse. The breach compromised personal and health-related data of approximately 500,000 patients, guarantors, and former patients, alongside employee information affecting 200 staff members across multiple locations. Stolen details included names, contact information, Social Security numbers, medical diagnoses, treatment records, insurance data, and driver’s license identifiers. The organization engaged forensic experts, contained the incident, notified affected individuals, and arranged 24 months of credit monitoring and identity protection services. Additional security measures were implemented following the breach, while potential regulatory investigations and litigation risks remain under assessment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Cardiovascular Consultants, Ltd. (CVC), a U.S. subsidiary of Fresenius Medical Care AG, discovered a cybersecurity incident affecting its computer systems on September 29, 2023. The intruder had accessed systems on or before September 27, 2023, encrypting data and exfiltrating information from CVC’s electronic medical record system and data warehouse. These systems contained current and former patient records, guarantor details, and employee information. CVC immediately initiated containment protocols and engaged a third-party forensic firm to investigate the breach. The investigation confirmed unauthorized access to specific systems, with stolen data originating primarily from the data warehouse. Compromised information included patient names, mailing addresses, dates of birth, Social Security numbers, driver’s license or state ID numbers, insurance policy details, diagnosis and treatment records, emergency contact information, and billing data. Employee-related files and applications storing sensitive personnel information were also impacted. Approximately 500,000 individuals—including patients, former patients, guarantors, and insurance policy holders—alongside 200 staff members across multiple U.S. states, territories, and four countries were potentially affected by the breach.
CVC began mailing notification letters to impacted individuals on December 2, 2023, and arranged 24 months of complimentary identity protection, credit monitoring, and fraud resolution services through a consumer credit reporting agency. A dedicated call center was established to address inquiries, referencing case number B110209. The company implemented additional security measures to prevent future incidents, though specifics were not disclosed. Fresenius Medical Care AG concurrently investigated potential impacts on another U.S. subsidiary, Fresenius Vascular Care, Inc., though findings remained pending at the time of reporting. While the parent company stated the incident would not materially affect its financial condition, it acknowledged regulatory reporting obligations, possible agency investigations, litigation risks, and reputational consequences. No operational disruptions were reported, and all containment and remediation efforts were described as ongoing alongside continued coordination with forensic experts and regulatory authorities.