Jefferson Surgical Clinic Announces June 2021 Data Breach Impacting 174,769 Patients

Share this article on:

Roanoke, VA-based Jefferson Surgical Clinic has started notifying patients that some of their protected health information has potentially been compromised in a cyberattack that was detected on June 5, 2021.

According to the breach notification letter provided to the Maine Attorney General, the attacker gained access to parts of the network that contained patient data such as names, birth dates, Social Security numbers, and health and treatment information.  Jefferson Surgical Clinic promptly notified the Federal Bureau of Investigation about the breach and engaged third-party cybersecurity and forensics specialists to assist with the investigation.

The investigation uncovered no evidence to suggest any patient data has been or will be misused as a result of the security breach; however, as a precaution against identity theft and fraud, Jefferson Surgical Clinic has offered affected individuals 12 months of complimentary credit monitoring and identity theft protection services.

The Maine Attorney General was notified that the parts of the network accessed by the attacker contained the protected health information of 174,769 patients and that names or other personal identifiers were obtained in combination with Social Security numbers. No reason was provided as to why it took 7 months to issue notifications to patients and regulators.

Ransomware Attack on Non-Profit Affects 10,438 Individuals

A New Leaf, Inc., a Broken Arrow, OK, non-profit provider of services to individuals with developmental disabilities, has started notifying 10,438 individuals that some of their protected health information was potentially compromised in a March 2021 ransomware attack.

The attack was detected on March 30, 2021, when files on its network were encrypted.  Assisted by a leading cybersecurity firm, A New Leaf discovered that prior to file encryption, certain files were exfiltrated from its network.

Initially, due to the nature of the incident and the systems that had been affected, it was not believed that any protected health information had been compromised, but the investigation revealed on June 23, 2021, that some of the documents obtained by the attackers did include personal and protected health information. A manual review had to be conducted to determine what information had been obtained and where the affected people resided. That review was completed on October 11, 2021, and notification letters were sent to affected individuals on December 30, 2021.

A New Leaf has offered affected individuals a 2-year membership to Experian IdentityWorks Credit 3B’s identity theft protection and credit monitoring services.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On