Vascular Center of Intervention, Inc.
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
The Vascular Center of Intervention, Inc. (VCI), based in California, experienced a significant data breach that was first identified on March 29, 2023, when unusual activity was detected on its network. The breach notification, signed by Dr. James Lee, revealed that an investigation into the incident found that patient-related files had been accessed or exfiltrated between February 25 and March 29, 2023[3]. The types of information compromised in this breach could include medical history, mental or physical condition, medical treatment or diagnosis by a healthcare professional, date of birth, health insurance information, Social Security Number, and driver’s license information[3].
VCI provided a substitute notice on its website, essentially mirroring the information disclosed in the breach notification but omitting the fact that affected patients were being offered 12 months of credit monitoring and identity theft protection services with Cyberscout[3]. Notably, the breach involved an extortion attempt by the BianLian group, which claimed to have exfiltrated 200 GB of files from VCI’s system and added VCI to its leak site on May 10. Despite these claims, attempts to access the purportedly leaked data failed, raising questions about the veracity of the data leak and the absence of disclosure regarding the ransom demand and the potential dark web leak in VCI’s notifications[3].
VCI responded to the breach by securing its systems, conducting a comprehensive investigation, and reviewing and strengthening its existing safeguards. The organization notified federal law enforcement and appropriate state and federal regulators, and directly notified potentially affected individuals where address information was available. VCI also provided information on steps that can be taken to help protect personal information[5].
The breach has attracted the attention of Turke & Strauss LLP, a leading data breach law firm, which is investigating the incident. The breach involved sensitive personal identifiable information and protected health information belonging to an undetermined number of individuals[7].
Citations:
- https://oag.ca.gov/system/files/Vascular%20Center%20of%20Intervention%2C%20Inc.%20-%20Exhibit%20A.pdf
- https://www.broadinstitute.org
- https://www.databreaches.net/the-vascular-center-of-intervention-breach-what-their-notification-says-and-what-it-didnt-say/
- https://www.ecommunity.com
- https://www.vcifresno.com/notice-of-data-privacy-event.html
- https://bsahs.org
- https://www.turkestrauss.com/2023/05/30/vascular-center-of-intervention-data-breach-investigation/
- https://www.argonmedical.com
- https://kw.linkedin.com/posts/jaredrimer_the-vascular-center-of-intervention-breach-activity-7070712131708481536-uOEq
- https://www.azuravascularcare.com
- https://www.linkedin.com/posts/dataprotection-ae_the-vascular-center-of-intervention-breach-activity-7068831184637542400-n-3V
- https://www.hipaajournal.com/hipaa-violation-cases/
- https://www.redpacketsecurity.com/bianlian-ransomware-victim-vascular-center-of-intervention/
- https://colevannote.com/investigations/
- https://oag.ca.gov/privacy/databreach/list
- https://www.propublica.org/article/maryland-dormu-minimally-invasive-vascular-medicare-medicaid