Cyber Incident Victim: Refuah Health Center
Date:
May 2021
Location:
United States of America
Summary
Refuah Health Center experienced a cybersecurity incident involving unauthorized access to its systems during a two-day period, prompting an immediate investigation. The breach compromised sensitive data for approximately 260,000 individuals, including names, Social Security numbers, medical and financial records, insurance details, and diagnostic information. The organization publicly acknowledged the incident months after concluding its investigation, apologizing for the event and emphasizing ongoing privacy commitments. Mitigation efforts included deploying a new firewall and conducting vulnerability assessments to strengthen security controls against future threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Refuah Health Center, based in New York, experienced a cybersecurity incident involving unauthorized access to its systems between May 31 and June 1, 2021. The organization detected the breach and immediately initiated an investigation, though the specific method of detection was not disclosed. The investigation concluded nearly nine months later on March 2, 2022, but Refuah did not publicly explain the reason for the extended timeline between the incident’s discovery and subsequent notification of affected individuals. On April 29, 2022, the health center began notifying 260,740 individuals that their personal and protected health information may have been compromised during the breach. The potentially exposed data included highly sensitive identifiers such as names, Social Security numbers, medical record numbers, driver’s license numbers, state identification numbers, and dates of birth. Additionally, financial information like credit/debit card details, financial account information, and Medicare/Medicaid numbers were impacted, alongside healthcare-specific data including patient account numbers, diagnosis information, and health insurance policy numbers.
In its April 29 notification, Refuah Health Center issued a public apology and emphasized its commitment to protecting personal and health information. The organization stated it had implemented multiple security enhancements following the incident, specifically mentioning the installation of a new firewall and completion of a vulnerability assessment. Refuah also highlighted its ongoing efforts to evaluate and modify internal practices and controls to strengthen data security and privacy protections. No ransomware involvement, data misuse evidence, or specific attacker details were disclosed in the available information. The breach exposed patients to potential identity theft and financial fraud risks due to the comprehensive nature of the compromised data categories. Refuah’s public communication focused on remediation steps taken rather than technical specifics of the attack vector or operational disruptions caused by the incident.