On May 18, DataBreaches.net broke the story about a cyberattack on Michigan Avenue Immediate Care in Chicago (MAIC). The threat actors who had attacked Unified Government of Wyandotte County and Kansas City in April claimed responsibility for the attack.

Despite multiple inquiries sent to MAIC, no response was ever received, but the threat actors provided DataBreaches with exclusive access to a large archive of data allegedly exfiltrated beginning in December 2021 and continuing to May 10, 2022. The data was described in this site’s previous report.

Yesterday, MAIC submitted notification template letters to the California Attorney General’s Office.

MAIC’s notice states that they first learned of a breach on May 1, 2022. That date corresponds to what the threat actors had told DataBreaches as the date they first contacted MAIC with their demands.

MAIC claims that on May 12, they learned that the files contained personal and protected health information. Their description in their templates to adult patients and parents of pediatric patients is consistent with what the threat actors had claimed and provided to DataBreaches.

Significantly, MAIC does not tell those being notified that the breach occurred last year — in November, based on the meta data in their report to the AG’s office, or in December, based on when exfiltration started according to the threat actors.

Nor does their notification explain why they only first found out on May 1 via notification by threat actors and they never detected the breach by any internal audits or means.

MAIC’s template notification for pediatric patients can be found here; the one for adult patients can be found here. MAIC informs people “so that you can be aware of the incident and take steps to help protect your child against identity theft or fraud, if you feel that is appropriate. Although we are not aware of any identity theft or fraudulent use of your child’s information in connection to this incident,” MAIC offers one  year of complimentary services.

MAIC may not be aware of any fraudulent use of data, but should they have notified people  that the data has already been shared and that the threat actors claimed to be selling the data? Would that lead to more people signing up for monitoring and remediation services?

Any report that they may have filed this week with HHS has yet to show up on the public breach portal. In the absence of any response from MAIC, DataBreaches had estimated 43,000 affected based on the data and information provided by the threat actors, but that number may be significantly different than what they report.

This post will be updated when a number is reported to HHS.

Updated July 12, 2022: And now we know:  144,104 were reported as affected by this breach.