Cyber Incident Victim: University of Missouri Health Care
Date:
Sep 2019
Location:
United States of America
Summary
Unauthorized individuals accessed student email accounts at University of Missouri Health Care through credential stuffing, leveraging login credentials compromised from an unrelated third-party breach. The affected accounts contained patient names, dates of birth, medical record numbers, health insurance details, limited treatment or clinical information, and some Social Security numbers, impacting only students who reused credentials across both systems. While the healthcare provider found no evidence that data was viewed or misused, it notified affected patients and established a call center, offering complimentary credit monitoring to those whose Social Security numbers were involved.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 21, 2019, University of Missouri Health Care (MU Health Care) discovered unauthorized access to email accounts belonging to students who had previously received care through its health system. The breach investigation determined threat actors had compromised these accounts through a credential stuffing attack beginning two days earlier on September 19, 2019. Attackers obtained login credentials from an unrelated third-party organization’s security breach and exploited reused passwords to access university email accounts. Only students who had recycled identical credentials across both the third-party service and their university accounts were impacted. The compromised email accounts contained patient information including full names, dates of birth, medical record numbers, health insurance details, and limited clinical data such as diagnoses, medications, and treatment information. A small subset of individuals also had their Social Security numbers exposed through this incident. MU Health Care emphasized this did not constitute a direct breach of its own systems or infrastructure.
The organization completed its investigation by May 5, 2020, though the provided notification did not explain the seven-month timeline for identifying affected patients or disclose the total number impacted. While investigators found no evidence that unauthorized parties actually viewed the exposed information or misused it, MU Health Care mailed notification letters to all identified patients as a precautionary measure. The health system established a dedicated call center to address patient inquiries and offered complimentary credit monitoring and identity protection services specifically to individuals whose Social Security numbers were involved. The scope remained unclear regarding whether non-patient students experienced similar email compromises through the same credential stuffing attack but were excluded from notifications due to lacking healthcare data exposure.