Cyber Incident Victim: Compton and Broomhead Dental Center
Date:
Oct 2021
Location:
United States of America
Summary
A cyberattack targeting Compton and Broomhead Dental Center resulted in the exfiltration of sensitive patient data without encryption. Threat actors accessed over 4,200 files containing protected health information, including names, medical histories, social security numbers, insurance details, driver's license numbers, employer information, and contact data. The attackers provided evidence confirming the validity of the compromised records, which included mental health-related disclosures. Despite demands, the practice did not engage in negotiations and reportedly responded sarcastically to threats. No public breach notifications appeared on regulatory sites or the center's website months after the incident, and the practice did not respond to inquiries. The threat actors threatened to release all patient data publicly, with indications emerging that some data may have been subsequently leaked.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around October 8, 2021, Compton and Broomhead Dental Center (C&B Dental Center) in Indiana experienced a cyberattack involving data exfiltration by threat actors. The attackers claimed to have stolen patient files containing protected health information (PHI) and contacted DataBreaches.net to disclose the breach, providing over 4,200 files as evidence. These files bore the dental practice’s name on each page and included patient names, medical history screenings, mental health information, psychotropic medication details, demographic data, health insurance information (plan names, subscriber IDs, group numbers), Social Security numbers, driver’s license numbers, employer details, and contact information. DataBreaches.net validated the authenticity of the data through Google searches, address verification, and SSN validation, confirming the information aligned with patients’ reported birthdates and locations. The threat actors stated they did not encrypt the practice’s systems, focusing solely on data theft.
Three months post-incident, no public breach notification appeared on HHS’s breach portal, the Indiana Attorney General’s website (last updated August 2021), the dental center’s website, or Google-indexed sources. DataBreaches.net attempted to contact C&B Dental Center via its website contact form and direct emails to Dr. Compton and a marketing staff member on January 5, providing specific filenames and patient initials for verification. The inquiries asked whether the practice had notified regulators or patients and what incident response measures were taken. No responses were received. The threat actors alleged limited interactions with individuals possibly associated with the practice’s IT provider, claiming no ransom negotiations occurred and describing some communications as sarcastic, including a retort mocking their threats. The attackers threatened to publicly release all patient data unless paid, and by January 10, 2022, DataBreaches.net noted indications the data might have been leaked on a forum, though the exact location remained unconfirmed. The breach exposed highly sensitive patient information, including mental health and insurance details, with no documented containment or remediation actions by the practice as of the article’s final update on January 11, 2022.