Cyber Incident Victim: AdventHealth

In August 2017, malware was installed on systems at AdventHealth Medical Group’s Pulmonary & Sleep Medicine center in Tavares, Florida, formerly known as Lake Pulmonary Critical Care, granting unauthorized individuals access to patient data. The intrusion remained undetected for 16 months until December 27, 2018, when the malware infection was discovered. Following the discovery, the healthcare provider removed the malicious software, secured its systems, and initiated an investigation to determine the breach’s scope and affected individuals. The investigation confirmed that attackers accessed portions of the system containing protected health information of 42,161 patients. Compromised data included patient names, addresses, email addresses, telephone numbers, dates of birth, health insurance details, Social Security numbers, medical histories, and demographic information such as race, gender, weight, and height. The specific method of malware installation and the reason for the prolonged detection gap were not disclosed by the provider.

AdventHealth began notifying impacted patients via mailed letters on January 25, 2019. Affected individuals were offered 12 months of complimentary credit monitoring, fraud consultation, and identity theft restoration services through Kroll. Patients were advised to monitor their insurance explanation of benefits statements for potential misuse of their information. In response to the incident, AdventHealth implemented additional technical safeguards to strengthen its defenses against future cyberattacks and enhanced system monitoring protocols to accelerate breach detection. No evidence was found indicating actual misuse of the exposed data at the time of notification. The breach impacted only the Pulmonary & Sleep Medicine center’s systems and did not involve other AdventHealth entities.