DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Eight months after ransomware attack, Advanced Urgent Care of Florida Keys notifies patients

Posted on November 9, 2020 by Dissent

On March 14, DataBreaches.net reported that Advanced Urgent Care of the Florida Keys had been attacked, and patient data dumped. The data dump had been listed on a Russian-language forum known for data dumps, and the threat actor, then known as “m1x,” called the medical group “Malicious Defaulters” because they wouldn’t pay to prevent data dumping.

As DataBreaches.net reported from inspecting the data dump:

The data, which were made freely available on a popular file-sharing site, contained more than 14,000 patients’ personal information. For some of the patients, there were numerous scans of patient records. In most cases, these were scans of reports that included some handwritten notes and results with the patients’ personal information, medical history, reason for testing or visit, and more.

There was also billing information dumped. From timestamps, it appeared the attack occurred on or about March 1. DataBreaches.net also posted a number of redacted screenshots from the data dump, while noting that the medical center had not responded to several inquiries sent to them by this site.

On May 31, more than 60 days after the dump first appeared, this site sent one last inquiry to Advanced Urgent Care of Florida Keys, asking them if they had ever reported this breach to HHS and whether they had ever notified patients.


Getting no response to that inquiry, either, DataBreaches.net filed a watchdog complaint with HHS on June 3, including screenshots of the listings and data, and offering to provide HHS with the full data dump if they needed it for investigative purposes.


On November 6, the practice issued a press release.

Bruce L. Boros, M.D., P.A. DBA Advanced Urgent Care Notice Regarding Data Security Incident

KEY WEST, Fla., Nov. 6, 2020/PRNewswire/ — Bruce L. Boros, M.D., P.A. DBA Advanced Urgent Care (“Advanced Urgent Care”) is committed to maintaining the privacy and security of information. On November 6, 2020, Advanced Urgent Care notified certain individuals about a data security incident.

Specifically, On March 1, 2020, a ransomware infection encrypted files stored on an Advanced Urgent Care backup drive. Advanced Urgent Care immediately began an investigation. As a part of its investigation, it worked very closely with external cybersecurity professionals.

After an extensive forensic investigation and manual document review, Advanced Urgent Care discovered on September 11, 2020 that the impacted backup drive contained personal and protected health information, including names, dates of birth, health insurance information, medical treatment information, medical diagnostic information, lab results, Medical Record Numbers (MRN), Medicare or Medicaid beneficiary numbers, medical billing information, bank account information, credit or debit card information, CHAMPUS ID numbers, Military and/or Veterans Administration numbers, driver’s license numbers, signatures, and Social Security numbers. This incident does not affect all patients of Advanced Urgent Care and not all information was included for all individuals. The Advanced Urgent Care electronic health record system was not impacted by this incident.

Advanced Urgent Care takes this incident and security of personal information very seriously. Advanced Urgent Care has taken steps to secure its network and improve internal procedures to identify and remediate future threats in order to minimize the risk of a similar incident in the future.

Impacted individuals have been provided with best practices to protect their information and have been reminded to remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity. Advanced Urgent Care has recommended that affected individuals review the explanation of benefits statements that they receive from their health insurance providers and follow up on any items not recognized. Individuals whose Social Security numbers were contained in the impacted backup drive have been offered a complimentary credit monitoring product.

For further questions or additional information regarding this incident, or to determine if you may be impacted by this incident and are eligible for complimentary credit monitoring, a dedicated toll-free response line has been set up at 1-866-977-1187.  The response line is available Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time.

View original content:https://www.prnewswire.com/news-releases/bruce-l-boros-md-pa-dba-advanced-urgent-care-notice-regarding-data-security-incident-301168080.html.

SOURCE Bruce L. Boros, M.D., P.A. DBA Advanced Urgent Care

DataBreaches.net Comments:

1. The practice claims that on September 11, it discovered ePHI was involved? This site had published evidence of ePHI on March 14 and had written to them about it several times. So they already had evidence in March that they could confirm as their data. Will HHS let them claim discovery in September or will it point out that any reasonable entity would have discovered the breach no later than March 17?  And when did HHS first contact the practice to follow up on my complaint (if they did contact them)?

2. The press release does not tell patients that their data was actually dumped and made freely available on two web sites, neither of which requires Tor to access. Does the notification letter to patients tell them that their data was first dumped on the internet on March 13?

I will be watching to see if HHS gives them a pass or walk on this one.

Update:  On Nov. 6, Dr. Boros reported the incident to HHS as impacting 58,823 patients.

Category: Commentaries and AnalysesHealth DataMalwareOf NoteU.S.

Post navigation

← Patients need to be notified sooner of ransomware dumps
FTC Requires Zoom to Enhance its Security Practices as Part of Settlement →

1 thought on “Eight months after ransomware attack, Advanced Urgent Care of Florida Keys notifies patients”

  1. Keith J says:
    November 10, 2020 at 1:28 pm

    Dear DataBreaches.Net, Thank you for this excellent distill of the Advanced Urgent Care of the Florida Keys breach. My girlfriend received the letter of the breach just today- several months after the legal deadline for the affected company to make known the breach. Your reporting is both insightful and valued as we pursue thi and try to determine how best to proceed for her identity and HIPPA rights protection. v/r, Keith J

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them
  • Iranian Man Pleaded Guilty to Role in Robbinhood Ransomware
  • Developments surrounding data breach at Dutch police
  • Estonia launches international search for Moroccan citizen wanted over data theft
  • Now it’s Tiffany: Another LVMH luxury brand hit by hackers
  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.