PHI of Over 500,000 Individuals Potentially Compromised in 4 Security Incidents

Share this article on:

Over 500,000 individuals have been affected by cyberattacks on Norwood Clinic, PracticeMax, Central Indiana Orthopedics, and an unauthorized electronic medical record incident at Ascension Michigan.

Norwood Clinic

The Birmingham, AL-based multi-specialty clinic, Norwood Clinic, has recently started notifying 228,103 individuals that some of their protected health information was accessed in a cyberattack that was detected on October 22, 2021. Upon detection of the breach, systems were immediately secured and third-party security experts were engaged to investigate the incident and determine the nature and scope of the breach.

The investigation confirmed that an unauthorized individual gained access to a server that housed patient information such as names, contact information, birth dates, Social Security numbers, driver’s license numbers, limited health information, and/or health insurance policy numbers. While unauthorized data access was confirmed, it was not possible to determine the specific information that was accessed, or whether any patient information was acquired in the attack.

Norwood Clinic said a complimentary 12-month membership to credit monitoring, dark web monitoring, and identity theft protection services has been offered to affected individuals and steps have been taken to improve cybersecurity, including revising email settings and policies, updating and modifying network security technical hardware, adding additional password complexity rules, and instituting more secure login mechanisms.


The business management and information technology solution provider PracticeMax has recently notified the Maine Attorney General about a data breach that has affected 165,698 individuals. PracticeMax said it started experiencing technical difficulties on May 1, 2021 and launched an investigation into a potential security breach.

The forensic investigation confirmed that unauthorized individuals gained access to its systems on April 17, 2021, and access remained possible until May 5, 2021. The attackers gained access to a server and potentially copied files containing the protected health information of patients and health plan members of its clients, prior to deploying ransomware.

PracticeMax said it issued notification letters on behalf of affected clients on October 19, 2021, even though the review of the server had not yet concluded. The review was concluded on February 2, 2022, and affected customers were updated on February 14, 2022. The types of data stored on the server varied from individual to individual and may have included names and Social Security numbers. PracticeMax said further notification letters started to be sent to individuals who had not previously been notified on March 4, 2022.

According to the recent web notice, “PracticeMax continues to assess the security of its systems and to enhance existing policies and procedures, including implementing additional technical and administrative safeguards.”

Central Indiana Orthopedics

External counsel for Central Indiana Orthopedics (CIO) has recently notified the Maine Attorney General and sent notification letters to 83,705 individuals affected by a cyberattack that was identified on October 16, 2021. While notification letters were delayed, the breach was announced on the CIO website shortly after it was detected in October 2021.

Following the discovery of suspicious network activity, CIO engaged a third-party cybersecurity firm to investigate the breach and help secure its IT systems. The investigation confirmed that files containing protected health information had been accessed by an unauthorized actor and may have been stolen in the attack. The potentially compromised data included names, addresses, Social Security numbers, and limited health information.

CIO said complimentary identity theft protection services are being offered to affected individuals, which include dark web monitoring and a $1 million identity theft insurance policy. has previously reported on the incident and said a threat group known as Grief claimed responsibility and had uploaded some of the stolen data to the group’s data leak site.

Ascension Michigan

Ascension Michigan has recently started notifying 27,177 individuals about a lengthy unauthorized electronic medical record access incident. Ascension Michigan said the user’s access to the system was immediately terminated when the unauthorized access was discovered. The investigation into the incident confirmed that the user had improperly accessed patient information in the EHR system from October 15, 2015, until September 8, 2021.

A review of the unauthorized access was completed on November 30, 2021, and confirmed that the following types of information had been viewed: full names, birth dates, addresses, email addresses, phone numbers, health insurance information, health insurance identification numbers and carriers, dates of service, diagnoses, treatment-related information, and, in some cases, Social Security numbers.

Following the breach, internal controls were reviewed and processes have been updated to better safeguard patient information. Credit and identity theft protection monitoring services have been offered to affected individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On