Cyber Incident Victim: Health First, Inc.
Date:
Feb 2018
Location:
United States of America
Summary
A Florida healthcare provider experienced a phishing incident where attackers compromised several employee email accounts, leading to unauthorized access over several months. The breach exposed protected health information for approximately 42,000 patients, though forensic analysis indicated the perpetrators primarily sought to perpetuate further phishing activities rather than target personal data. The organization blocked the unauthorized access, reset affected account credentials, and implemented enhanced security measures to mitigate future risks. Impacted individuals were offered complimentary identity theft monitoring and remediation services for one year.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between February and May 2018, Health First, Inc., a Florida-based healthcare provider, experienced a phishing incident affecting a small number of employee email accounts. Attackers compromised these accounts through a phishing scam, maintaining unauthorized access for a limited period. Forensic analysis indicated the intruders viewed a limited number of emails but showed no apparent interest in extracting Protected Health Information (PHI), instead focusing on perpetuating further phishing activities. Despite this assessment, the investigation confirmed some compromised accounts contained PHI, necessitating patient notifications. The breach impacted 42,000 patients, though the specific data elements exposed were not detailed in public statements. Health First discovered the incident during the three-month intrusion window but did not publicly disclose the exact date of initial detection. The organization formally reported the breach to the U.S. Department of Health and Human Services (HHS) on October 5, 2018, classifying it as a hacking/IT incident involving email on the HHS breach reporting portal.
Upon identifying the breach, Health First immediately blocked unauthorized access to the compromised email accounts and reset affected employees' passwords. The organization initiated unspecified new security measures to prevent recurrence, though technical specifics of these controls were not disclosed. Health First began notifying impacted patients after completing forensic reviews, offering complimentary 12-month identity protection services through AllClear ID, including monitoring and identity repair assistance. The delayed HHS notification—eight months after the initial breach timeframe—suggests extended investigation or internal assessment periods. No evidence indicated misuse of patient data, consistent with forensic findings that attackers prioritized phishing expansion over data exfiltration. Health First publicly apologized for the incident through its Senior Vice President, Matthew Gerrell, emphasizing ongoing efforts to safeguard customer information and health services.