Cyber Incident Victim: Atascadero State Hospital
Date:
Feb 2021
Location:
United States of America
Summary
Atascadero State Hospital experienced a data breach involving an employee with IT system access privileges who improperly accessed sensitive information. The incident compromised names, COVID-19 test results, and health tracking data for approximately 1,415 patients and former patients, along with 617 employees. The unauthorized access was discovered during the facility’s routine annual review of employee data access permissions as part of standard security protocols.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 25, 2021, the California Department of State Hospitals (DSH) identified a data breach involving unauthorized access to sensitive information at Atascadero State Hospital. The incident was discovered during DSH’s annual review of employee access rights to data folders, conducted as part of standard compliance with the organization’s information and systems access rights policy. An employee with legitimate IT job duties and server access privileges had improperly accessed records containing protected health information and COVID-19-related data. The compromised records included approximately 1,415 patients and former patients, along with 617 employees. Exposed data consisted of names, COVID-19 test results, and health information used for tracking COVID-19 infections. No external threat actors or system intrusions were implicated, as the breach stemmed entirely from internal misuse of authorized access privileges. The review process that uncovered the incident focused on validating appropriate access levels to institutional data repositories.
DSH publicly announced the breach on the same day it was discovered, confirming the scope of affected individuals and data types. The disclosure did not specify whether the employee’s actions were accidental or deliberate, nor did it describe the duration of unauthorized access prior to detection. Impacted parties included both current and former hospital patients alongside staff members whose employment-related health information was accessed. COVID-19 test results constituted a significant portion of the breached health data, reflecting the hospital’s pandemic-related tracking activities during the 2020-2021 period. No information was released regarding containment measures, disciplinary actions against the employee, or post-breach notifications to affected individuals beyond the initial public statement. The incident highlighted vulnerabilities in internal access controls despite established policy-driven review mechanisms.