Cyber Incident Victim: Adventist Health

On September 30, 2020, Adventist Health Sonora discovered a phishing incident that compromised an associate’s email account credentials. The organization immediately initiated an investigation to determine the scope and nature of the unauthorized access. By October 14, 2020, the investigation confirmed that the breached account contained protected health information (PHI) belonging to patients. The exposed data included patient names, dates of birth, medical record numbers, hospital account numbers, insurance information, and clinical details related to care received at the facility. No evidence suggested broader system compromise beyond the single associate’s account. Adventist Health characterized the incident as isolated but acknowledged the potential risk to patient privacy due to the sensitivity of the accessible information.

Adventist Health Sonora notified 2,653 potentially impacted patients residing in the Sonora area, despite the limited scope of the breach, as a precautionary measure. The notification letters detailed the types of exposed PHI and advised patients to monitor their accounts for suspicious activity. As remediation, the organization offered affected individuals one year of complimentary identity theft protection services through a specialized data breach recovery firm. Adventist Health reinforced its commitment to security but did not disclose specific technical or procedural changes implemented post-incident. The hospital published its notification letter publicly on its website to ensure transparency regarding the phishing attack’s consequences.