Data breach at Center for Vein Restoration compromises sensitive medical records of 445,000 individuals

A significant data breach has affected the Center for Vein Restoration (CVR), a Maryland-based clinic and the self-proclaimed largest physician-led vein center in the United States. The attack, which occurred in early October 2024, exposed a vast array of highly sensitive personal and medical information, impacting more than 445,000 individuals nationwide.

The breach came to light on October 6, when CVR detected “unusual activity” within its systems, prompting an investigation. According to the clinic’s breach notice filed with the U.S. Department of Health and Human Services Office for Civil Rights, the attackers gained access to extensive personal and medical data, including names and addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, diagnoses, lab results, and medications, treatment information and dates, health insurance details, provider names and financial data and employee contact information.

This breach extends far beyond typical cyberattacks involving medical records that are difficult or impossible to replace. Such data is highly valued in the cybercriminal underworld and is often sold on dark web marketplaces, where it can be used for health identity fraud and other illicit purposes.

The stolen medical information presents profound risks for affected individuals. Cybercriminals can exploit this data to submit fraudulent insurance claims, obtain prescription medications under pretenses, or execute detailed identity theft schemes. Moreover, attackers with victims’ diagnoses, lab results, or treatment histories could create targeted phishing attacks, pressuring individuals by exploiting their medical vulnerabilities. In extreme cases, knowledge of mental health conditions or sensitive medical treatments could even lead to extortion.

In the wake of the breach, CVR has promised to strengthen its cybersecurity measures, stating that it has implemented additional safeguards to protect its systems and prevent future incidents. The organization has also advised victims to carefully review statements from healthcare providers, insurance companies, and financial institutions for any signs of fraudulent activity.