PHI of 45,262 Desert Pain Institute Patients Potentially Compromised in Cyberattack


It has been revealed that illegal access of the databases of Baywood Medical Associates,  operating as Desert Pain Institute (DPI) in Mesa, AZ, has taken place. Additionally, it was discovered that some of the parts of the network that were open to access were holding the protected health information of patients of the healthcare group. 

The initial discovery of the HIPAA breach occurred, and was mitigated, by DPI on September 13, 2021. Upon this discovery an external firm of cybersecurity experts was contracted in order to conduct a review of the incident and ascertain the extent of the damage caused by the hacking incident. The outcome of this review was revealed on October 15, 2021 when the cybersecurity experts revealed that they had discovered enough proof to suggest that those responsible for the cyberattack had been able to access the sections of the database that were holding the PHI of the group’s patient’s.

Following An examination of the data that may have been infiltrated in the the attack it was deduced that information may impacted including:  names, address details, birth dates, Social Security information, tax ID numbers, driver’s license/state-issued identification card numbers, military identification, financial account details, medical history, and health insurance policies. The range of data potentially impacted was not the same for every patient affected in the attack.

For the time period from September 13 to the first discovery of the breach and subsequent issuing of breach notifications there has been no proof of any actual or attempted improper use of patient data discovered to date. However, the group has issued an advisory to anyone who may have been impacted in the cyberattack to remind them to take great care in case there may have been any undetected by the breach investigation. Free credit monitoring services are also being provided for anyone who may have been impacted by the breach.

In addition to these measures, DPI revealed that it has configured new cybersecurity strategies along with enhancing its servers. The new servers feature end-point reviewing tools to spot unauthorized access.

The breach notification submitted to the Maine attorney general revealed that the PHI of 45,262 individuals may have been impacted in the HIPAA breach. However, no details of the breach have been published on the Department of Health and Human Services’ Office for Civil Rights breach portal.