Cyber Incident Victim: Loyola University Medical Center
Date:
Oct 2021
Location:
United States of America
Summary
Loyola University Medical Center experienced a phishing incident compromising an employee email account, potentially exposing protected health information of 16,934 patients. Unauthorized access occurred over a three-day period, though investigators could not confirm whether emails or attachments were viewed. Exposed data included patient names, contact details, birthdates, medical record numbers, treatment details, test results, and limited health plan information. The organization detected suspicious activity, secured the account promptly, and found no evidence of data misuse. Affected individuals received complimentary credit and dark web monitoring services. LUMC highlighted its existing cybersecurity investments, including dedicated monitoring teams and continuous security testing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Loyola University Medical Center (LUMC) detected suspicious activity in an employee email account on October 31, 2021, prompting immediate securing of the account and initiation of an investigation. Forensic analysis determined unauthorized access occurred between October 29 and October 31, 2021, though investigators could not confirm whether emails or attachments were viewed or exfiltrated. The compromised account contained protected health information (PHI) of 16,934 patients, including full names, addresses, telephone numbers, dates of birth, email addresses, medical record numbers, health conditions, medications, test results, treatment facility details, service types, and partial health plan information. No evidence emerged of actual or attempted misuse of patient data during or after the breach window. Despite assessing a low risk of identity theft or fraud, LUMC provided affected individuals with 12 months of complimentary credit monitoring and dark web surveillance services. The medical center emphasized its existing security investments, including a dedicated cybersecurity team and continuous monitoring systems, as foundational to its response.
The incident originated from unauthorized access to a single employee email account over a three-day period, with detection occurring at the endpoint of the intrusion timeline. LUMC's review confirmed the exposed data types but did not identify specific threat actor behaviors beyond the access timeframe. Organizational impacts included mandatory notifications to nearly 17,000 patients and implementation of additional safeguards, though the article did not specify technical details of these enhancements. Operational consequences were mitigated by the absence of system-wide compromise or evidence suggesting broader network infiltration beyond the targeted mailbox. LUMC publicly reaffirmed its commitment to maintaining a "strong security program" with 24/7/365 monitoring and regular security control testing as part of post-incident communications. The breach did not disrupt clinical operations or necessitate regulatory penalties based on available disclosures.