Northeast Spine and Sports Medicine data breach exposes sensitive information of 6,300 patients

Northeast Spine and Sports Medicine, based in Point Pleasant, New Jersey, has disclosed a data breach affecting the protected health information (PHI) of approximately 6,300 individuals. The breach, attributed to unauthorized access by the BianLian threat group, was detected on January 8, 2024. Evidence suggests the intrusion occurred between late December 2023 and January 8, 2024.

A third-party forensic investigation revealed that sensitive patient data was accessed and potentially stolen during the attack. The compromised data includes full names, gender, addresses, phone numbers, dates of birth, Social Security numbers, and medical records. Additionally, for some individuals, the breach extended to financial and billing information, such as health plan beneficiary numbers, insurance and payment details, medical record numbers, and account information. In some instances, the data of individuals responsible for paying medical bills was also exposed.

The BianLian threat group, known for its sophisticated cyberattacks targeting healthcare entities, is believed to have orchestrated this breach. While Northeast Spine and Sports Medicine has not disclosed whether any ransom demands were made, the sensitive nature of the exposed information heightens concerns about potential misuse.

Northeast Spine and Sports Medicine has implemented enhanced cybersecurity measures to address the incident and prevent future attacks, including improved multi-factor authentication protocols, firewall upgrades, and advanced event monitoring systems. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.