Cyber Incident Victim: The Chattanooga Heart Institute
Date:
Mar 2023
Location:
United States of America
Summary
A healthcare provider experienced an external system breach compromising over 410,000 individuals’ personal information combined with financial account or payment card details alongside security credentials. The intrusion was discovered roughly three months after occurring, leading to written notifications and multiple supplemental disclosures months later. Impacted individuals received offers for a year of credit monitoring services to mitigate potential identity theft risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 8, 2023, The Chattanooga Heart Institute experienced a significant external system breach involving unauthorized access to its data through hacking activities. The breach remained undetected until May 31, 2023, when the healthcare provider discovered the compromise nearly three months after the initial intrusion. This cybersecurity incident resulted in the exposure of sensitive personal and financial information belonging to 411,383 individuals, including 47 residents of Maine. The stolen data included individuals' names in combination with critical financial identifiers such as account numbers, credit or debit card details, and associated security credentials like security codes, access codes, passwords, or PINs. The compromised information presented severe risks of financial fraud and identity theft due to the accessibility of both identification markers and protected account authentication elements. The Chattanooga Heart Institute, based at 2501 Citico Avenue in Chattanooga, Tennessee, operated as a healthcare entity during the breach, handling protected health information and payment details as part of its medical services.
Upon confirming the incident's scope, The Chattanooga Heart Institute engaged external counsel Ryan Loughlin of Mullen Coughlin to manage breach notifications and regulatory compliance. The organization initiated written notifications to affected individuals on two primary dates: July 28, 2023, and October 6, 2023, reflecting a phased disclosure process across multiple months. For the 47 impacted Maine residents, the entity submitted a supplemental notice detailing the event's specifics to state authorities, aligning with Maine's breach notification requirements. The Chattanooga Heart Institute referenced July 28, 2023, as the date of a prior breach notification within the preceding 12-month period, though details of that earlier incident were not disclosed in the Maine Attorney General filing. As a remedial measure, the organization offered comprehensive identity theft protection services to affected individuals, providing 12 months of credit monitoring through the third-party provider Epiq. This response strategy aimed to mitigate potential financial harm while enabling individuals to detect suspicious activity stemming from the breach.