Cyber Incident Victim: Washington University School of Medicine
Date:
Mar 2022
Location:
United States of America
Summary
Washington University School of Medicine experienced unauthorized access to certain employee email accounts, potentially exposing patient and research participant information. The compromised accounts contained names, dates of birth, addresses, medical records, patient account numbers, clinical details, and limited instances of health insurance data or Social Security numbers. While forensic analysis could not confirm whether emails or attachments were viewed or exfiltrated, the breach impacted 1,056 individuals. In response, the institution implemented enhanced email security measures and reinforced employee training on identifying suspicious communications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between March 4 and March 28, 2022, Washington University School of Medicine in St. Louis, Missouri, experienced a data security incident involving unauthorized access to certain employee email accounts. The breach was identified when suspicious email activity was detected, prompting immediate action to secure the compromised accounts. The school engaged third-party cybersecurity experts to conduct a forensic investigation into the incident. The investigation aimed to determine whether the unauthorized actor had accessed, opened, or obtained emails or attachments within the affected accounts during the 24-day period. While the forensic review confirmed the presence of sensitive patient and research participant information within the emails and attachments, investigators could not conclusively determine whether the threat actor had actually viewed or exfiltrated any data. The analysis revealed the exposed information included patient names, dates of birth, addresses, medical record numbers, clinical details, and account numbers. A smaller subset of individuals had additional sensitive elements exposed, such as health insurance information and Social Security numbers.
In response to the incident, Washington University School of Medicine implemented enhanced email security measures to strengthen protections against similar cyberattacks. The institution also reinforced employee training programs focused on identifying and avoiding suspicious emails to reduce future risks. The forensic review confirmed the breach impacted 1,056 patients and research participants whose information resided in the affected email accounts. The school reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights as required under HIPAA regulations. No evidence suggested misuse of the exposed data, but the inability to confirm whether information was accessed or copied by the threat actor necessitated transparency about the potential compromise. The incident underscored vulnerabilities associated with email-based data storage and prompted institutional adjustments to email controls and security protocols.