AffordaCare Urgent Care Clinic

AffordaCare Urgent Care Clinic operated as a provider of immediate medical services for non-life-threatening conditions, functioning as an urgent care facility within the United States healthcare system. The organization served patients in Texas and Florida, offering walk-in access for treatments ranging from minor injuries and illnesses to basic diagnostic services, positioning itself as a convenient alternative to emergency room visits for communities in those states. As a healthcare provider handling protected health information, the clinic was inherently subject to regulations concerning patient data privacy and security, though its specific compliance posture was not detailed in public records. The clinic's operational model focused on delivering timely outpatient care, a sector that increasingly relies on digital systems for patient records, scheduling, and insurance processing, thereby creating a significant repository of sensitive personal and medical data.

The organization's operational history was notably defined by a severe cybersecurity incident that occurred in early 2020. On February 1st, AffordaCare Urgent Care Clinic was targeted by the Maze ransomware group, which executed an attack involving both data encryption and exfiltration. The attackers successfully stole over 40 gigabytes of sensitive information, including patient protected health information such as full names, Social Security numbers, dates of birth, medical histories, treatment codes, and insurance details, alongside internal employee payroll documents. Following the clinic's refusal to pay the ransom demand, the Maze actors published samples of the stolen data on their public leak site. The clinic's initial public response incorrectly denied the exposure of Social Security numbers, a statement it later revised to acknowledge the potential compromise of that data along with diagnosis codes and other medical information. Critically, the organization did not promptly notify affected patients or regulators about the breach and remained unresponsive to inquiries despite the public availability of the stolen data, actions that underscored significant failures in incident response and transparency protocols common in the healthcare sector. This event served as a documented case study in the vulnerabilities faced by medical clinics and the disruptive impact of ransomware gangs employing double-extortion tactics.