Cyber Incident Victim: Capsule

In early 2022, BJC HealthCare, a St. Louis-based nonprofit healthcare organization, experienced a security incident involving unauthorized access to physician and general practitioner email accounts. Forensic investigations confirmed the breach occurred between March 4 and March 28, 2022, though the exact intrusion method remained unspecified. The compromised accounts contained protected health information, including patient names, dates of birth, medical record numbers, clinical details such as diagnosis and treatment information, provider names, treatment locations, and procedure dates. A subset of affected individuals also had driver's license numbers, Social Security numbers, or health insurance information exposed. Investigators could not determine whether the attacker viewed or extracted email contents during the 24-day access period but acknowledged potential data theft given the unauthorized entry.

BJC HealthCare initiated patient notifications by May 31, 2022, though the total impacted individuals remained undisclosed as the incident had not yet appeared on federal regulatory portals. The organization offered complimentary credit monitoring and identity theft protection exclusively to patients whose Social Security numbers or driver's license numbers were exposed. No evidence of actual misuse of stolen data was confirmed at notification time. The forensic review focused exclusively on email account contents without indicating broader network compromise or system-wide vulnerabilities. Cooper University Health Care disclosed a separate, chronologically distinct email breach from November 2021 in the same announcement, but this event involved different timelines, intrusion dates, and investigative conclusions unrelated to the March 2022 BJC incident. Both organizations reported incomplete HHS Office for Civil Rights breach portal listings at the time of public disclosure.