Vascular Center of Intervention, Inc.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The Vascular Center of Intervention, Inc. (VCI), based in California, experienced a significant data breach that was first identified on March 29, 2023, when unusual activity was detected on its network. The breach notification, signed by Dr. James Lee, revealed that an investigation into the incident found that patient-related files had been accessed or exfiltrated between February 25 and March 29, 2023[3]. The types of information compromised in this breach could include medical history, mental or physical condition, medical treatment or diagnosis by a healthcare professional, date of birth, health insurance information, Social Security Number, and driver’s license information[3].

VCI provided a substitute notice on its website, essentially mirroring the information disclosed in the breach notification but omitting the fact that affected patients were being offered 12 months of credit monitoring and identity theft protection services with Cyberscout[3]. Notably, the breach involved an extortion attempt by the BianLian group, which claimed to have exfiltrated 200 GB of files from VCI’s system and added VCI to its leak site on May 10. Despite these claims, attempts to access the purportedly leaked data failed, raising questions about the veracity of the data leak and the absence of disclosure regarding the ransom demand and the potential dark web leak in VCI’s notifications[3].

VCI responded to the breach by securing its systems, conducting a comprehensive investigation, and reviewing and strengthening its existing safeguards. The organization notified federal law enforcement and appropriate state and federal regulators, and directly notified potentially affected individuals where address information was available. VCI also provided information on steps that can be taken to help protect personal information[5].

The breach has attracted the attention of Turke & Strauss LLP, a leading data breach law firm, which is investigating the incident. The breach involved sensitive personal identifiable information and protected health information belonging to an undetermined number of individuals[7].

Citations:

  1. https://oag.ca.gov/system/files/Vascular%20Center%20of%20Intervention%2C%20Inc.%20-%20Exhibit%20A.pdf
  2. https://www.broadinstitute.org
  3. https://www.databreaches.net/the-vascular-center-of-intervention-breach-what-their-notification-says-and-what-it-didnt-say/
  4. https://www.ecommunity.com
  5. https://www.vcifresno.com/notice-of-data-privacy-event.html
  6. https://bsahs.org
  7. https://www.turkestrauss.com/2023/05/30/vascular-center-of-intervention-data-breach-investigation/
  8. https://www.argonmedical.com
  9. https://kw.linkedin.com/posts/jaredrimer_the-vascular-center-of-intervention-breach-activity-7070712131708481536-uOEq
  10. https://www.azuravascularcare.com
  11. https://www.linkedin.com/posts/dataprotection-ae_the-vascular-center-of-intervention-breach-activity-7068831184637542400-n-3V
  12. https://www.hipaajournal.com/hipaa-violation-cases/
  13. https://www.redpacketsecurity.com/bianlian-ransomware-victim-vascular-center-of-intervention/
  14. https://colevannote.com/investigations/
  15. https://oag.ca.gov/privacy/databreach/list
  16. https://www.propublica.org/article/maryland-dormu-minimally-invasive-vascular-medicare-medicaid
Breach Submission Date May 24, 2023
Converted Entity Name Vascular Center of Intervention, Inc.
Converted Entity Type Healthcare Provider
State CA
Individuals Affected 3,833
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes