The Aesthetic Dermatology Associates, based in Pennsylvania, have confirmed a breach involving the protected health information (PHI) of 33,793 current and former patients. The cyberattack, during which authorized individuals viewed and, in some cases, acquired, the PHI, was first detected on August 15, 2022.
Upon detection of the suspicious network activity, the Aesthetic Dermatology Associates launched an investigation to establish the scope of the attack. The Associates have not provided details of how long the unauthorized individuals had access to the network, though it has been confirmed that nearly 34,000 patients were affected.
The investigation, which was completed on September 3, 2022, determined that the individuals had access to patient names, dates of birth, addresses, details of health insurance coverage, and diagnosis codes.
The press release issued by the Aesthetic Dermatology Associates stated that there is “no evidence of actual or attempted misuse of information as a result”. While this was true at the time of the press release, on October 1, the ransomware group BianLian started leaking patient data that could be associated with the attack. BianLian is a recently variant of ransomware that has been connected with a number of other attacks.
The Aesthetic Dermatology Associates issued the following to patients:
“As part of this commitment, we are reviewing our existing policies, procedures, and systems related to cyber security. Although we have no evidence of any actual or attempted misuse of the potentially impacted information resulting from this incident, we are notifying affected individuals, including you, so that you may take steps to protect your personal information, should you feel it is appropriate to do so.”