Cyber Incident Victim: RS Medical
Date:
Feb 2019
Location:
United States of America
Summary
An attacker compromised an employee's email account at RS Medical through a phishing attack, using the access to send approximately 10,000 fraudulent emails before being locked out within two hours. While the primary intent appeared unrelated to patient data theft, the company could not definitively rule out exposure of protected health information (PHI) stored in the account, prompting notifications to roughly 250 affected individuals. Potentially accessible PHI included names, contact details, birthdates, diagnosis codes, and prescribed medical equipment information. The incident underscores risks associated with storing unencrypted PHI in employee email systems despite security training.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 11-12, 2019, RS Medical experienced a security incident stemming from a successful phishing attack targeting an employee's Outlook account credentials. An unauthorized individual gained access to the account after the employee fell victim to the phishing attempt. The attacker tested the compromised credentials to verify functionality before launching approximately 10,000 phishing emails from the account over a period of less than two hours. RS Medical detected the malicious activity and responded by changing the account password to terminate the unauthorized access. The organization's internal investigation determined the primary objective of the breach was to hijack the email account for mass phishing distribution rather than targeting protected health information (PHI).
RS Medical conducted a risk assessment concluding that while the likelihood of PHI exposure was low, they could not definitively rule out potential access to patient data stored in the compromised mailbox. This assessment led to notifications being sent to approximately 250 affected patients whose information resided in the account. The potentially accessible PHI included patient names, home addresses, phone numbers, dates of birth, diagnosis codes, and details regarding prescribed medical equipment types and quantities. The company documented no evidence suggesting actual acquisition or viewing of PHI by the attacker but maintained notification was necessary due to the theoretical access possibility during the two-hour compromise window. No connection was established between this incident and a separate Microsoft email breach disclosed around the same timeframe.