Tennessee Orthopaedic Clinics notifies HHS of breach; has yet to notify patients

An undated message on the Tennessee Orthopaedic Clinics website states that TOC recently responded to a security incident. They don’t say when they discovered it, but their investigation determined “that an unauthorized party accessed some of our systems between March 20, 2023, and March 24, 2023, and may have accessed or acquired certain files.” The attack reportedly resulted in disruption of some systems, but they do not mention malware or ransomware, and they do not mention whether there was any ransom or extortion demand. TOC reports that protected health information (PHI) of some patients was accessed or acquired. The information varied per patient but could have included names, contact information, dates of birth, diagnosis and treatment information, provider names, dates of service, cost of services, prescription information, and/or health insurance information. As of May 24, TOC had not yet started providing notification to patients and was presumably still in the process of determining who needs to be notified. TOC’s report to HHS used a marker number of “500” affected, suggesting that they did not yet know how many were affected and who needs to be notified individually. TOC’s full website notice can be found at https://www.tocdocs.com/notice-of-security-incident/. DataBreaches has not seen this entity listed on any ransomware group’s leak site as of this publication and attempts to reach out to TOC through their site failed. DataBreaches will continue to monitor for updates to this incident.