Cyber Incident Victim: Midwest Orthopaedics at Rush

In early 2014, Midwest Orthopaedics at Rush (MOR), a Chicago-based medical practice, experienced a privacy incident involving unauthorized access to a physician's personal email account. On or around February 10, an unknown individual gained entry to the account, which contained protected health information for 1,256 patients. The compromised data included patient names, dates of birth, surgical descriptions or codes, dates of surgical procedures, and special surgical instructions. MOR discovered that the physician had inappropriately used a personal email account to store this sensitive patient information as part of their work activities. The organization confirmed the breach through an internal investigation, though the exact method of unauthorized access remained unspecified in public disclosures. No evidence suggested the attacker specifically targeted medical records or orchestrated a sophisticated cyberattack against MOR's systems.

MOR initiated multiple corrective actions following the investigation. The practice eliminated the use of personal email accounts for work-related communications and patient data handling as part of revised privacy policies. Annual privacy training for all employees was implemented to reinforce proper data handling protocols. MOR began notifying all affected individuals in April 2014 through direct communications and a public website notice, which stated the organization had received no reports of actual misuse or further exploitation of the exposed health information. The notification clarified that while surgical codes and instructions were compromised, no financial data or Social Security numbers were stored in the breached email account. MOR did not disclose whether password resets, multi-factor authentication enhancements, or third-party forensic audits were conducted as part of their response.