Cyber Incident Victim: Chase Brexton Health Care
Date:
Aug 2017
Location:
United States of America
Summary
A phishing attack compromised four employee email accounts at Chase Brexton Health Care after staff responded to fraudulent survey emails, enabling attackers to reroute payroll deposits. Although investigators found no evidence that patient data was accessed or targeted, the organization notified 16,562 individuals due to potential exposure of personal health information within the affected email accounts, including names, patient IDs, dates of birth, addresses, diagnoses, medications, and insurance details. The institution responded by securing accounts, engaging third-party investigators, implementing enhanced email filters, and reinforcing employee security training while offering identity protection services to affected patients as a precautionary measure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 2 and 3, 2017, Chase Brexton Health Care employees received fraudulent emails disguised as an employee survey, a phishing tactic designed to harvest login credentials. Four employees completed the survey, inadvertently providing attackers with access to their email accounts. The unauthorized actors exploited this access to redirect the employees’ paychecks to external bank accounts by August 4, 2017, when the breach was detected. Chase Brexton immediately terminated access to the compromised accounts upon discovery. An investigation confirmed the attackers accessed the email accounts between August 2 and 3 but found no evidence they viewed patient health information unrelated to payroll activities. However, the email accounts contained protected health information (PHI) for numerous patients, including names, patient ID numbers, dates of birth, addresses, provider names, diagnosis codes, service details, insurance information, and medication data. Despite the absence of evidence indicating misuse or intentional access to PHI, Chase Brexton determined the potential exposure warranted notification to 16,562 patients whose data resided in the affected inboxes.
Chase Brexton implemented multiple containment and remediation measures following the incident. The organization reset passwords for the compromised accounts, engaged a third-party investigator to assess the breach, and deployed enhanced email filtering systems to block similar threats. Employee training programs were reinforced with additional security protocols to mitigate future phishing risks. The organization mailed written notifications to all potentially affected individuals with verifiable address information and reported the incident to the U.S. Department of Health and Human Services and the Maryland Attorney General. As a precautionary measure, Chase Brexton offered identity repair services to notified patients, though it emphasized no evidence suggested actual viewing or theft of PHI by the attackers. The primary confirmed impact remained the fraudulent diversion of employee paychecks, with patient data exposure classified as a secondary risk due to its incidental presence in the email accounts.