Cyber Incident Victim: Trillium Health
Date:
Jul 2022
Location:
United States of America
Summary
An unauthorized individual accessed an employee email account at CSI Laboratories, a cancer testing and diagnostics provider, potentially compromising protected health information of nearly 245,000 patients. The breach was detected when attackers attempted a business email compromise scheme to redirect customer payments, though investigators later confirmed patient data—including names, identifiers, and in some cases dates of birth and insurance details—had been copied from invoices. While the primary motive appeared financial rather than data theft, the organization secured the account, enhanced email security protocols, implemented additional employee phishing training, and increased monitoring of network and email systems to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 8, 2022, Cytometry Specialists, Inc. (CSI Laboratories) detected unauthorized access to an employee’s email account and immediately secured the compromised account. The Alpharetta, GA-based cancer testing laboratory initiated an investigation, which revealed the intrusion was part of a business email compromise (BEC) scheme designed to redirect healthcare provider payments to an attacker-controlled account. The threat actor used a fictitious email address impersonating CSI Laboratories to facilitate fraudulent payment diversion. By July 15, 2022, forensic analysis confirmed that files containing protected health information had been copied from the breached mailbox during the incident. These files primarily consisted of invoices sent to CSI’s healthcare provider customers, which the attacker likely obtained to lend credibility to the payment redirection scam.
The breach impacted 244,850 patients whose data was present in the exfiltrated invoice files. Most records contained patient names and internal identifiers, though a subset included additional details such as dates of birth and health insurance information. CSI Laboratories assessed the risk of patient data misuse as low, given the operational nature of the documents and the attacker’s financial motive. In response, the laboratory implemented enhanced email security measures, expanded employee training on phishing recognition, and strengthened monitoring of network and email systems to prevent similar incidents. No evidence suggested systemic network compromise beyond the isolated email account breach.