Cyber Incident Victim: University of Vermont Health Network
Date:
Oct 2018
Location:
United States of America
Summary
The University of Vermont Health Network experienced unauthorized access to an employee's email account, compromising personal and medical information of approximately 32,000 patients. Exposed data included names, dates of birth, addresses, medical record numbers, service dates, treatment summaries, and Social Security numbers for 1,200 individuals. The breach was confined to a single email account without affecting broader network systems or electronic medical records. Upon discovery, the organization implemented password changes, enhanced security protocols, engaged forensic investigators, and established a dedicated call center. While no evidence of data misuse was found, potentially affected individuals received notifications and guidance on protective measures, with credit monitoring offered to those whose Social Security numbers were involved.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 9, 2018, an unauthorized individual remotely accessed an employee’s email account at the University of Vermont Health Network – Elizabethtown Community Hospital. The breach was discovered on October 18, 2018, prompting immediate containment measures including password resets, implementation of enhanced security features, and engagement of a forensic security firm to investigate the incident. The hospital confirmed the intrusion was limited exclusively to the single compromised email account, with no evidence of access to broader hospital computer networks, electronic medical records, or IT systems at any affiliated Network organizations. An initial 60-day investigation found no indication of fraud or identity theft stemming from the incident. The hospital emphasized the breach duration was brief but did not specify the exact timeframe of unauthorized access prior to detection.
The forensic review identified personal information within the compromised email account, including patient names, dates of birth, addresses, medical record numbers, dates of service, and summaries of medical services—primarily billing-related data. Social Security numbers were present for a subset of individuals. While investigators found no evidence that specific records were viewed or misused, the hospital proactively notified all 32,000 potentially affected patients due to the account’s data contents. Of these, 1,200 individuals whose Social Security numbers were exposed received offers for complimentary credit and identity theft monitoring services. The organization established a dedicated call center operating weekdays from 9 a.m. to 9 p.m. EST to address inquiries and acknowledged the possibility of revising the impacted patient count downward as the investigation continued. Security enhancements were applied organization-wide to email systems, supplemented by staff re-education on data protection protocols. Public updates were committed through the hospital’s website alongside direct notifications to all individuals whose information resided in the account during the breach period.