Cyber Incident Victim: New Jersey Brain and Spine
Date:
Nov 2021
Location:
United States of America
Summary
A New Jersey-based neurosurgery practice experienced a cyberattack involving data encryption, impacting approximately 92,000 individuals. Compromised information included names, contact details, Social Security numbers, financial data, driver’s license numbers, and medical records. The organization migrated to cloud storage, implemented two-factor authentication, and enhanced monitoring following the incident. While notifications were issued online with plans for mailed updates pending further investigation, no evidence of data misuse was identified. The attack highlighted broader trends targeting smaller healthcare entities for sensitive patient information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 16, 2021, New Jersey Brain and Spine (NJBS) experienced a cyberattack that encrypted portions of its data systems. The neurosurgery practice initiated an investigation to determine the nature and scope of the incident, which disrupted access to critical information. By the time of the public notification, NJBS had identified that unauthorized actors gained access to systems containing protected health information (PHI) and personally identifiable information (PII) of 92,453 individuals. The compromised data included patient names, email addresses, birth dates, physical addresses, Social Security numbers, driver’s license numbers, telephone numbers, financial account details, and medical records. NJBS did not specify the exact method of initial intrusion or whether ransomware was deployed alongside the encryption activity. The organization acknowledged the attack’s impact on operational continuity but provided no further details about system downtime or immediate containment steps taken on November 16.
Following the attack, NJBS implemented enhanced security measures, including migrating data to cloud-based storage systems, deploying two-factor authentication across network access points, and establishing ongoing monitoring protocols. The practice continued investigating the full extent of compromised data beyond the initial notification period, pledging to issue individualized mail notifications to affected patients once this process concluded. NJBS confirmed no evidence of actual misuse of exposed data but advised impacted individuals to remain vigilant against potential identity theft or financial fraud. The incident highlighted risks to specialty healthcare practices, with NJBS joining other New Jersey outpatient facilities targeted during a broader surge in attacks against smaller providers observed throughout 2021. The organization’s public notice omitted technical specifics regarding attacker attribution, ransom demands, or data recovery methods but emphasized procedural improvements to prevent recurrence.