Cyber Incident Victim: Saint Agnes Health Care

On April 27, 2015, Maryland-based Saint Agnes Health Care disclosed a data breach impacting approximately 25,000 individuals. Attackers compromised an employee's email account through a phishing attack targeting Saint Agnes personnel. The breached account contained stored personal information including names, dates of birth, genders, medical record numbers, insurance details, and limited clinical information. Social Security numbers were exposed in four specific cases. The organization confirmed the attackers gained unauthorized access by deceiving an employee through fraudulent email communications designed to harvest credentials. This phishing method enabled the compromise without requiring direct intrusion into Saint Agnes’s core medical systems or electronic health records.

Saint Agnes responded by immediately disabling the compromised email account’s username and password credentials. The organization initiated implementation of administrative, technical, and physical safeguards to strengthen protections for protected health information. All affected individuals received breach notifications, with those whose Social Security numbers were exposed being offered complimentary identity monitoring and protection services. Saint Agnes reported the incident to its email service provider and announced an evaluation of additional security enhancements to its existing program. Corporate Responsibility Officer Sharon McNamara publicly affirmed these response measures in an official notification posted to the Saint Agnes website, characterizing the organization’s security protocols as robust prior to the incident while acknowledging the need for ongoing improvements in light of the phishing attack’s success.