Cyber Incident Victim: Community Health Systems
Date:
Nov 2019
Location:
United States of America
Summary
CAH Holdings experienced a security incident involving unauthorized access to certain employee email accounts, potentially exposing personally identifiable information and protected health information. The compromised accounts contained names, medical treatment details, diagnoses, and health benefits data, with a limited subset also including addresses, dates of birth, and Social Security numbers. Forensic investigators could not confirm which specific emails or attachments were accessed by the threat actor. In response, the organization implemented a global password reset, enabled multi-factor authentication, enhanced spam filters, appointed a Chief Information Security Officer, and conducted employee cybersecurity training to mitigate future risks. The company's CEO emphasized their commitment to protecting customer information and offered affected individuals complimentary credit monitoring and identity theft protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around November 15, 2019, CAH Holdings Inc. (CAH) discovered a data security incident involving unauthorized access to certain employee email accounts. The company engaged independent computer forensic experts to investigate the scope and nature of the breach. Forensic analysis confirmed that an unauthorized actor had compromised corporate email accounts, though investigators could not determine which specific emails or attachments the intruder accessed. CAH conducted an internal review of the affected accounts and identified exposed personally identifiable information and protected health information, including patient names, medical treatment histories, diagnoses, and health benefits information. For a smaller subset of individuals, the compromised data also included addresses, dates of birth, and Social Security numbers. CAH stated it had no evidence of actual misuse of the exposed information at the time of disclosure.
CAH implemented multiple corrective measures following the investigation, including a global password reset for all accounts, activation of multi-factor authentication, and enhanced spam filtering capabilities. The company appointed a Chief Information Security Officer to oversee security improvements and conducted mandatory retraining for all employees on cybersecurity awareness, focusing on identifying and reporting suspicious emails. Affected individuals were offered complimentary one-year credit monitoring and identity theft protection services through ID Experts®, featuring credit monitoring, identity detection, and identity theft resolution. CAH established a dedicated call center (833-953-1522) operating during Central Time business hours for impacted individuals to inquire about their status. CEO Grantland Rice publicly acknowledged the breach, emphasizing organizational commitments to strengthening data protection protocols and preventing recurrence, while referencing FTC identity theft resources at identitytheft.gov for additional guidance.