DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

FL: Ransomware group claims to have stolen data on 260,000 patients from Jax Spine and Pain Centers; victim remains silent (UPDATED)

Posted on February 10, 2022 by Dissent

Update of February 24, 2022:  Jacksonville Spine Center, P.A. (JAX Spine and Pain Centers) reported a hacking incident to HHS on February 10 — the same date that this site first reported on claims by Avos Locker to have acquired data on 260,000 patients.  JAX never responded to this site’s inquiries, but seems to have reported to HHS that 38,000 patients were impacted or notified. That’s a big difference between what Avos Locker claimed and what the covered entity reported. 

DataBreaches.net has since found a statement on JAX’s site that says that the attack occurred on January 24. The statement stresses that only data prior to May 2018 was involved, and no clinical data was involved — only demographic data (which is what this site had noted in the original post). 

Original post:

Covered entities in the medical sector continue to be an attractive target for ransomware groups, and earlier this week, Avos Locker added Jax Spine and Pain Centers (“JAX”) to their leak site.  JAX  has seven locations in North Florida and south Georgia.

According to the threat actors’ listing on their dark web site, “We have the full EHR (Electronic Medical Records) database for 262,000 patients! We are publishing list only for first 100 patients as proof.”

DataBreaches.net examined the .csv file with 100 records and found that it contained what appeared to be older data (circa 2012-2017) with demographic information fields that included patients’ first and last names with middle initial, postal address with zip code, email address, home and work phone numbers, date of birth,  Social Security numbers, and some information on payment guarantor and provider.  Patient ID numbers were also incorporated, The 100 records did not represent 100 unique patients, as there were multiple records for some of the names and Patient ID numbers.

There was no sensitive medical information in this particular sample such as diagnosis, treatment codes, dates of service, or specific health insurance information.

Redacted .csv records
Image: Redacted by DataBreaches.net. Fields that were empty have been hidden in this screencap.

According to an Avos Locker spokesperson, all the files they acquired — which they claim is the full EHR database — are in text format. There are reportedly no pdf files or image files.

Attempts to validate the data were impacted by the age of the data. Sampling from the records, DataBreaches.net was able to find individuals of the right age (or now deceased) from Florida but in some cases, the individuals could not currently be found at the street address in the .csv file (they had likely moved over time). Attempts to validate the SSN data found valid SSN numbers that corresponded to varying degrees with the patient’s reported date of birth. In some cases, there were discrepancies between the date a particular SSN was issued and the patient’s reported date of birth although the SSN number was a valid number.

Based on validation attempts so far, the data look real, and even if there are no medical diagnoses and other types of data, this would be a reportable breach under HIPAA/HITECH.  Avos claims that they do have the other data types, but have not (yet) provided this site with any hard proof of that.

Significantly — for JAX — an Avos spokesperson states that Avos did not lock/encrypt the EHR database and confined themselves to exfiltrating a copy of it.

JAX was allegedly notified by Avos via numerous calls, but allegedly did not respond and has not attempted to negotiate with the threat actors at all, according to the Avos spokesperson. They have not revealed when they first accessed JAX’s system.

DataBreaches.net has sent JAX’s owner, John Carey, and a physician partner, Dr. Michael Hanes, two emails over the past 24 hours requesting that they confirm or refute the claimed attack and to answer some questions about the incident. The questions included whether data from patients at all of their locations had been stolen, whether they could confirm that files with diagnoses and insurance information had been stolen, whether any employee or contractor information had been stolen, and whether they have already notified HHS, patients, and regulators if required by law.

There has been no response at all, and there does not seem to be any notice on their website.

This post may be updated as more information becomes available.

Category: Breach IncidentsHack

Post navigation

← CISA Alert (AA22-040A): 2021 Trends Show Increased Globalized Threat of Ransomware
One year after it started, LendUs discloses that they had a breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.