Cyber Incident Victim: Saint Alphonsus Health System
Date:
Jan 2021
Location:
United States of America
Summary
A healthcare provider experienced a security incident when an employee's email account was compromised and used to send spam. During subsequent breach notifications, a vendor's mail merge error caused incorrect status labels to be applied, erroneously informing some patients they were deceased or minors. This compounded the initial privacy violation by delivering distressing and inaccurate information to affected individuals. The incident highlighted procedural failures in both cybersecurity response and third-party communication processes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early January 2021, Saint Alphonsus Health System experienced a security incident involving unauthorized access to an employee’s email account. The breach occurred when an attacker compromised the account and used it to distribute spam emails. While the exact duration of unauthorized access wasn’t disclosed, the organization identified the intrusion and initiated an investigation. During subsequent breach notification efforts, a separate error occurred involving a third-party vendor responsible for mailing notifications to affected patients. A technical malfunction in the mail merge process resulted in letters being incorrectly addressed to some recipients, erroneously labeling them as deceased or minors. This compounding error significantly escalated patient distress beyond the initial privacy concerns related to the email compromise. The hospital publicly acknowledged both the email security incident and the notification error, confirming that the mail merge issue stemmed from faulty data formatting during the letter generation process.
The incident’s primary impact involved the improper disclosure of protected health information through the compromised email account, though specific data types and the number of affected individuals weren’t detailed in available reports. More immediate and visible consequences emerged from the erroneous notifications, which caused confusion and emotional distress among recipients mistakenly informed of their own death or misclassified as minors. Saint Alphonsus addressed both issues through a unified response, issuing public statements to explain the dual nature of the incident—first clarifying the email account breach and then detailing the mail merge failure. The organization did not disclose whether additional corrective measures were implemented beyond the public acknowledgment, nor were specifics provided about enhanced vendor oversight or email security improvements. The event highlighted operational vulnerabilities in both internal security protocols and third-party communication processes during breach remediation efforts.