Cyber Incident Victim: Metrocare Services

Metrocare Services experienced a breach involving unauthorized access to employee email accounts, first detected on February 6, 2019. The intrusion began in January 2019, with an external third party compromising multiple accounts. Metrocare secured the affected accounts promptly and initiated an investigation, which confirmed the unauthorized access but could not definitively determine whether emails containing patient information were viewed. The compromised data included names, dates of birth, health insurance details, driver's license information, treatment-related health records, and Social Security numbers for some individuals. This incident impacted 5,290 patients, marking the second such breach within five months, following a nearly identical November 2018 email compromise that affected 1,804 patients. Both breaches were discovered within approximately one month of initial access.

In response to the 2019 incident, Metrocare notified the U.S. Department of Health and Human Services (HHS) on April 5, 2019, and issued public notifications detailing the breach scope and protective measures. The organization stated it had strengthened email security and implemented multi-factor authentication—a safeguard notably absent after the 2018 breach, despite prior commitments to enhance system protections. Following the earlier incident, Metrocare had pledged to bolster its email infrastructure and provide additional employee security training but had not adopted multi-factor authentication at that time. The 2018 breach remained under HHS investigation as of the 2019 disclosure. No threat actor details or specific attack vectors were disclosed in either case. The repeated nature of the breaches raised questions about regulatory scrutiny regarding the adequacy of Metrocare’s corrective actions.