Cyber Incident Victim: Allied Urological Services
Date:
Sep 2021
Location:
United States of America
Summary
Allied Urological Services experienced a data breach when an unauthorized party accessed an employee email account used for patient scheduling, compromising sensitive information. The intrusion persisted for several months before detection, during which the attacker potentially synced emails and attachments containing patient names, addresses, and financial account details including bank and card numbers. Approximately 52,981 individuals were affected by the incident. The company initiated an investigation upon discovering suspicious activity, secured the compromised account, and subsequently notified impacted parties. As a healthcare provider operating under Allied Metro Medical, the organization offers mobile urological services across multiple hospitals in the New York tri-state region.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Allied Urological Services, LLC, operating as Allied Metro Medical, confirmed a data breach involving unauthorized access to sensitive patient data. The incident began when an unauthorized party gained access to the company’s computer systems around September 26, 2021, specifically targeting an employee email account used for scheduling patient appointments. Allied Urological detected suspicious activity in this account on January 3, 2022, prompting immediate action to change the account password and initiate an internal investigation. The investigation revealed the unauthorized access persisted until January 3, 2022, and determined that the attacker may have synced the contents of the compromised email account to their own system. This synchronization potentially exposed sensitive information contained within emails and attachments. Allied Urological conducted a review of all affected emails and attachments to identify the scope of compromised data, which included patient names, addresses, and financial account information such as bank account numbers and credit or debit card details. The breach impacted 52,981 individuals, with Allied Urological filing an official notice of the breach and mailing notification letters to affected parties on July 12, 2022.
The compromised data varied by individual but consistently involved personally identifiable and financial information. Allied Urological Services, based in New York, New York, provides mobile lithotripsy and prostate care services to over 30 hospitals in the tri-state area through its affiliates, Metropolitan Lithotriptor Associates, PC, and Metropolitan Urological Specialist, PC. The company serves more than 6,000 patients annually, employs over 80 individuals, and generates approximately $14 million in revenue. While the breach notification detailed the timeline of unauthorized access and data exposure, Allied Urological did not disclose the specific method by which the attacker gained initial access to the email account. The incident exposed vulnerabilities in the security of email-based systems handling sensitive patient scheduling data, though the company’s response included containment measures such as credential resets and forensic analysis. No further technical details regarding attacker tactics, infrastructure impacts, or post-breach security enhancements were disclosed in the available notice.