Security arteries burst: 446K exposed in vein treatment center breach


The Center for Vein Restoration (CVR), a Maryland-headquartered clinic, has suffered a major data breach. Attackers stole extremely sensitive personal data such as lab results and health insurance information.

Malicious actors struck CVR sometime in early October. According to the data breach notice shared on the organization's website, the clinic was alerted about “unusual activity” in its systems on October 6th.

CVR claims to be “America’s largest physician-led vein center” with over 110 locations around the country, from Alabama to Alaska. The clinic is owned by Cortec Group, a private equity firm.

ADVERTISEMENT

The scope of the recent attacks impacts hundreds of thousands of individuals. According to CVR’s notice, filed with the US Department of Health and Human Services Office for Civil Rights, over 445,000 people had their details fall into the wrong hands.

What’s worse, the attackers were able to access copious amounts of personal information, ranging from customer names and treatment information to employees’ contract details. The full list of exposed data includes:

  • Addresses
  • Dates of birth
  • Social Security numbers
  • Driver’s license numbers
  • Medical record numbers
  • Diagnosis’
  • Lab results
  • Medications
  • Treatment information
  • Health insurance information
  • Provider names
  • Dates of treatment
  • Financial information
Niamh Ancell BW Ernestas Naprys vilius jurgita
Don’t miss our latest stories on Google News

While no data leak is free of risk, the exposure of medical information goes far beyond a typical data breach. Stolen medical details are a prized possession in the cybercriminal underground, eagerly traded on dark web forums.

For example, cybercrooks can use leaked details for health identity fraud, including obtaining prescription medication using false insurance claims. Malicious actors could also exploit used data for comprehensive identity theft schemes, with the potential to impact victims’ financial well-being.

Knowledge of lab results, treatment, and medications also enables attackers to craft tailor-made phishing attacks, pressuring unknowing victims where it hurts the most.

Medical data leaks are particularly harmful because, unlike credit card data or account information, details about people’s health cannot be simply replaced. Determined attackers could create fake insurance claims, impacting patients' medical records and future treatment decisions.

ADVERTISEMENT

Moreover, knowledge of mental health issues could embolden attackers to blackmail patients whose data was exposed.

CVR’s breach notice claims that it has “implemented, and will continue to adopt, additional safeguards and technical security measures to further protect and monitor our systems.” At the same time, victims of the data breach were instructed to review statements from healthcare providers and remain vigilant.