Cyber Incident Victim: Sacred Heart Health System
Date:
Feb 2015
Location:
United States of America
Summary
A healthcare provider's third-party billing vendor experienced a phishing attack compromising an employee email account, exposing billing information for 14,000 patients including names, service dates, birth dates, diagnoses, procedures, charges, and physician names, with 40 individuals additionally having social security numbers accessed. The organization notified affected patients, offering identity monitoring services to those with exposed social security numbers, and collaborated with forensic experts to investigate the incident. The provider confirmed no medical records were breached and stated it was working with the vendor to enhance security practices to prevent future occurrences.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 2, 2015, Sacred Heart Health System discovered a data breach involving the compromised email account of an employee at its third-party billing vendor. Unauthorized actors accessed billing information for 14,000 patients through a phishing attack targeting the vendor’s employee email system. The breached data included patient names, dates of service, dates of birth, diagnoses, procedures performed, total charges, and physician names. Medical records were not accessed during the incident. A subset of 40 patients had their Social Security numbers exposed in the breach. Sacred Heart initiated an immediate investigation in collaboration with the unnamed billing vendor and engaged computer forensics experts to analyze the incident’s scope and accurately identify affected individuals. Within days of discovery, Sacred Heart mailed notification letters to all 14,000 impacted patients, with separate correspondence sent to the 40 individuals whose Social Security numbers were compromised. The health system arranged complimentary identity monitoring and protection services specifically for those whose Social Security numbers were exposed.
The forensic investigation confirmed the breach originated from a phishing email that deceived the vendor’s employee into interacting with malicious content, leading to unauthorized account access. Sacred Heart’s Privacy Officer, Genevieve Harper, publicly acknowledged the incident while emphasizing organizational commitments to patient privacy and security. In response, Sacred Heart implemented corrective measures focused on enhancing vendor security protocols, requiring the billing vendor to continuously evaluate and modify practices governing confidential information handling. The health system established a dedicated call center operational on weekdays from 8 a.m. to 6 p.m. CST for patient inquiries and advised concerned individuals to review their credit reports through major bureaus Equifax, Experian, and TransUnion, providing direct contact information for each agency. No additional unauthorized access or subsequent incidents were reported following containment of the initial breach.