Cyber Incident Victim: New York-Presbyterian Hospital
Date:
Sep 2022
Location:
United States of America
Summary
New York-Presbyterian Hospital experienced a cybersecurity incident involving unauthorized access to workforce laptops via a cloud-based remote IT support program, allowing a threat actor to copy and remove desktop files containing protected health information. The compromised data—affecting approximately 12,000 patients from two affiliated facilities—included names, addresses, insurance authorizations, medical record numbers, and exam results, though the hospital's patient portal remained unaffected. Internal security monitors detected and blocked initial suspicious server activity, prompting an investigation that confirmed the breach, with the organization notifying impacted individuals through its website.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 8, 2022, NewYork-Presbyterian Hospital's data security monitoring systems detected suspicious activity on one of its servers, triggering an immediate alert. The activity involved potential attempts by an unauthorized user to download information from the server. The hospital's security team successfully blocked these download attempts and initiated an investigation through its Information Security Department. Subsequent forensic analysis revealed that prior to the server alert, an unauthorized third party had compromised the institution's systems through a different vector. The threat actor exploited a cloud-based remote IT customer support program to gain access to multiple workforce members' laptops.
The attacker copied and removed desktop files from several compromised laptops between the initial intrusion and the September 8 detection. While the hospital confirmed its patient portal systems remained unaffected, one breached laptop contained protected health information of approximately 12,000 patients from NewYork-Presbyterian/Queens and NewYork-Presbyterian/Hudson Valley facilities. Exposed data included patient first and last names, physical addresses, insurance authorization details, medical record numbers, and clinical exam results. NewYork-Presbyterian publicly disclosed the breach via a website notice on November 11, 2022, though the incident had not yet appeared on HHS's breach reporting portal at the time of the disclosure. The hospital directed affected individuals to review its official notification for details about its response measures, which included security protocol reviews but did not specify remediation offers or system changes in the available source material.