PHI Potentially Compromised in Cyberattacks at Norwood Clinic, Central Indiana Orthopedics, and Alliance Physical Therapy Group

Norwood Clinic

The multi-specialty clinic based in Birmingham, AL, Norwood Clinic, just began sending notifications to 228,103 persons concerning the access to some of their protected health information (PHI) during a cyberattack, which was discovered on October 22, 2021. Upon discovery of the breach, Norwood Clinic secured its systems immediately and third-party security professionals investigated the incident to find out the nature and extent of the breach.

The investigation affirmed that an unauthorized person acquired access to a server that contained patient data including names, contact details, birth dates, driver’s license numbers, Social Security numbers, some health data, and/or medical insurance policy numbers. Although unauthorized data access was certain, it was impossible to know which particular data was accessed, or if any patient data was obtained during the attack.

Norwood Clinic stated a free one-year membership to credit monitoring, dark web monitoring, and identity theft protection services were provided to impacted persons. Steps were undertaken to enhance cybersecurity, which includes changing email configurations and policies, updating and enhancing system security technical hardware, putting more password difficulty rules, and using a lot more safe login processes.

Central Indiana Orthopedics

External counsel for Central Indiana Orthopedics (CIO) lately advised the Maine Attorney General and issued breach notification letters to 83,705 persons impacted by a cyberattack that was discovered on October 16, 2021. Although notification letters were overdue, the breach was reported on the CIO web page immediately after it was discovered in October 2021.

After the uncovering of suspicious system activity, CIO had a third-party cybersecurity agency investigate the incident and help keep its IT systems secure. The investigation affirmed that files comprising PHI were accessed by an unauthorized person and were possibly stolen during the attack. The possibly exposed data involved names, addresses, limited health data, and Social Security numbers.

CIO stated free identity theft protection services are provided to impacted persons, which consist of dark web monitoring and an identity theft insurance policy worth $1 million. has earlier reported about the incident and stated a threat group called Grief stated it was responsible for the incident and had published some of the stolen information on the group’s data leak website.

Alliance Physical Therapy Group

Alliance Physical Therapy Group in Grand Rapids (APTG), MI, stated it found out that unauthorized persons had obtained access to selected systems inside its network on December 27, 2021. Third-party cybersecurity company APTG confirmed on January 7, 2022 that files made up of the PHI of 14,970 patients might have been exfiltrated from its system from December 23, 2021 to December 28, 2021.

An analysis of those files affirmed that they comprised patient names, birth dates, driver’s license numbers, Social Security numbers, health data, and health insurance data.

APTG stated it is going over its cybersecurity guidelines and procedures and will impose extra measures and safety steps to avert more cyberattacks. APTG did not find any evidence of misuse of patient information however it provided the impacted persons with one year of free credit monitoring and identity restoration services. Breach notification letters had been mailed on January 28, 2022.