Woodruff Institute

The Woodruff Institute, operating as the Dermatology and Plastic Surgery Center, is a Florida-based medical practice providing specialized clinical services. Its core offerings encompass both dermatological care and plastic surgery procedures, serving a patient population seeking medical treatment for skin conditions as well as elective cosmetic enhancements. The practice maintains comprehensive patient records, as evidenced by a 2021 data breach that exposed detailed medical information including lab test types, insurance details, and Medicare numbers, which in older documents functioned as Social Security numbers. This indicates the institute handles sensitive health data across a spectrum of care, from routine dermatology to surgical interventions. The breach also revealed the practice processes substantial financial information, such as patient payment forms containing full credit card numbers, accounting records with truncated bank details, and business expense documentation. This dual handling of medical and financial data suggests a integrated operational model common in outpatient specialty practices. The organization's market is primarily regional, focused on Florida, though its specific geographic reach beyond a single location is not detailed in available information. Its service scope implies a clientele interested in both necessary medical dermatology and optional plastic surgery, positioning it within the broader healthcare sector but with a distinct focus on aesthetic and surgical dermatology.

A distinguishing attribute of the Woodruff Institute is its positioning within the lucrative plastic surgery sector, a factor that explicitly influenced its targeting by the ransomware group Grief. The attackers justified breaching the practice by separating plastic surgery from general healthcare, characterizing it as a profitable niche. This incident highlights the practice's handling of high-value financial data, including employee incentive compensation, profit and loss statements, and Paycheck Protection Program loan information, which points to a business model with significant revenue streams and complex financial management. The exposure of full credit card numbers from patient payment forms further underscores the practice's direct processing of consumer financial transactions. While the breach documentation confirms the institute's status as a healthcare provider subject to data privacy risks, no explicit details regarding its ownership structure, parent company, or subsidiary relationships are provided. The available information frames the organization as an independent medical practice whose combination of medical services and financial data processing made it a target, illustrating the intersection of healthcare delivery and business operations within a specialized clinical setting. The incident serves as a public record of the data types the institute manages, confirming its role as a provider that maintains both protected health information and detailed financial records for its business and patients.