Cyber Incident Victim: Hartford HealthCare

Hartford HealthCare experienced a cybersecurity incident between February 13 and February 14, 2020, when unauthorized individuals gained access to two employee email accounts within its network of over 30,000 staff members. The organization detected suspicious activity in these accounts and immediately secured them while engaging a technology forensics firm to investigate the breach. The forensic investigation confirmed the intrusion window and determined that one compromised account contained sensitive patient information. Attackers accessed personal data including patient names, dates of birth, medical record numbers, clinical diagnoses, dates of service, provider names, and health insurance details. For 23 specific patients, the exposed information included insurance account numbers incorporating Social Security numbers, while an undisclosed number of other patients had personal financial information compromised. Hartford HealthCare emphasized that most affected individuals did not have Social Security numbers or credit card information exposed.

The breach impacted up to 2,651 patients across the healthcare provider's service area covering 185 towns in Connecticut and Rhode Island. Following the investigation, Hartford HealthCare implemented multiple containment measures including mandatory password changes for all employee email accounts and disabling the specific software exploited by the attackers to carry out the compromise. The organization reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights and directly notified affected patients by April 13, 2020. For the 23 patients whose Social Security numbers were exposed, Hartford HealthCare offered two years of free credit monitoring services. The healthcare provider stated no evidence had been found suggesting misuse of any accessed information following comprehensive monitoring of the situation.