Cyber Incident Victim: Community Memorial Health System

Community Memorial Health System (CMHS) in Ventura experienced a data security breach involving unauthorized access to patient information. The incident stemmed from a phishing attack that compromised an employee's email account. On June 23, 2017, the affected employee observed irregularities in their account activity and promptly notified CMHS administration. This detection occurred on the same day the account anomalies were first noticed, indicating immediate internal reporting. The health system initiated an investigation following the employee's notification, though the exact duration and methodology of this investigation were not publicly detailed. CMHS confirmed that the compromised email account contained sensitive patient data, establishing a direct link between the account breach and potential exposure of protected health information.

CMHS issued breach notifications to affected individuals by September 5, 2017, approximately two and a half months after detecting the incident. The notifications confirmed that patient information had been exposed through the unauthorized email access but did not specify the number of affected individuals or particular data elements compromised. The health system's public disclosure characterized the event as a "data security breach" without elaborating on whether information was actually exfiltrated or merely accessed. No evidence suggested broader system penetration beyond the single compromised email account. The organization's response included standard breach notification procedures but did not publicly disclose additional remediation measures taken, such as enhanced security training or phishing resistance improvements. The incident highlighted vulnerabilities associated with email-based attacks targeting healthcare employees with access to sensitive patient data.