If you say you are going to provide details of an incident, then DataBreaches believes that you should provide important details — like the fact that patient data has been leaked on the dark web. Here’s another incident notice where there is no mention of that. From Aesthetic Dermatology Associates‘ press release:
What Happened? On August 15, 2022, Aesthetic Dermatology became aware of suspicious activity on its systems. They immediately launched an investigation to determine the cause of the activity, and its full nature and scope. Working with a computer forensics specialist, Aesthetic Dermatology investigation determined that an unauthorized actor had accessed certain systems on its network, some of which housed files containing personal information. Aesthetic Dermatology then undertook a review of these files to identify any sensitive information stored therein and to whom it relates. On September 3, 2022, Aesthetic Dermatology determined sensitive information related to its patients may have been impacted.
What Information Was Involved? The types of information which may have been impacted includes patients’ name, address, date of birth, diagnosis code, and health insurance information.
While their press release quickly tells people that they have “no evidence of actual or attempted misuse of information as a result” of the incident, they never tell people that data have actually been leaked. Did they know that by the time they issued the press release?
The ransomware group known as BianLian claimed responsibility for this attack and started leaking data by October 1, including some patient records.
BianLian also leaked the file tree that indicates other files on the drive.
Aesthetic Dermatology Associates does not appear to be offering those affected any complimentary mitigation services.
You can read Aesthetic Dermatology Associates’ full press release at https://www.prnewswire.com/news-releases/aesthetic-dermatology-associates-pc-provides-notice-of-data-privacy-event-301644883.html. There does not seem to be any notice on their website at the time of publication, but the incident was reported to HHS as impacting 33,793 patients.