Cyber Incident Victim: Minimally Invasive Surgery of Hawaii

On February 19, 2021, Minimally Invasive Surgery of Hawaii discovered unauthorized access to its network systems, later determined to be part of a ransomware attack. The investigation revealed threat actors had infiltrated the network between January 19 and February 19, 2021, during which they accessed and exfiltrated sensitive patient data. The compromised information included patient names, Social Security numbers, medical treatment details, health insurance information, and limited financial data. The organization engaged third-party cybersecurity specialists to contain the breach, secure affected systems, and conduct forensic analysis to determine the attack's scope. Notification letters were sent to impacted individuals beginning April 19, 2021, with the breach officially reported to the U.S. Department of Health and Human Services on that same date. The attackers targeted a network server containing patient records, though the specific vulnerability exploited was not publicly disclosed.

The incident affected 5,600 patients whose protected health information was exposed during the month-long network intrusion. Potential consequences included identity theft, medical fraud, and financial harm due to the sensitive nature of the stolen data. Minimally Invasive Surgery of Hawaii offered affected individuals 12 months of complimentary credit monitoring and identity theft protection services through CyEx. The organization implemented additional security measures following the breach, including enhanced network monitoring tools and revised data protection protocols. No evidence emerged suggesting misuse of the stolen data, but the clinic advised patients to monitor financial accounts and credit reports for suspicious activity. This ransomware attack exemplified the growing trend of cybercriminals targeting smaller healthcare providers with limited cybersecurity resources.