Cyber Incident Victim: St. Marys Health
Date:
Dec 2014
Location:
United States of America
Summary
A breach at St. Mary’s Health occurred when employee usernames and passwords were compromised through an email hacking attempt, exposing personal information of approximately 4,400 individuals. The compromised data included names, dates of birth, genders, insurance details, limited health information, Social Security numbers, and dates of service, though medical and billing records were not accessed. The organization disabled the affected credentials, initiated an investigation, collaborated with its email provider to strengthen security measures, and implemented additional employee training. Impacted individuals received notifications and were offered complimentary identity protection and monitoring services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2014, St. Mary's Health, an Indiana-based healthcare provider, experienced a cybersecurity incident involving unauthorized access to employee email accounts. The organization discovered the breach on December 3, 2014, when it identified that several employees had their usernames and passwords compromised through what it described as an "e-mail hacking attempt." These compromised email accounts contained personal information belonging to approximately 4,400 individuals. By January 8, 2015, through subsequent investigation, St. Mary's Health determined the specific types of sensitive data potentially exposed in the breach. The compromised information included names, dates of birth, genders, dates of service, insurance information, limited health information, and Social Security numbers. The organization emphasized in its public statements that the hackers did not gain access to comprehensive medical records or billing systems, limiting the scope to information contained within the affected email accounts.
Upon detecting the incident, St. Mary's Health immediately disabled the compromised usernames and passwords to prevent further unauthorized access. The organization launched a formal investigation to assess the extent of the breach and identify affected individuals. By March 5, 2015, St. Mary's Health had publicly disclosed details of the incident through a substitute notice on its website and began notifying all impacted individuals directly. As part of its remediation efforts, the healthcare provider collaborated with its email service provider to implement enhanced security measures for its email systems. St. Mary's Health also committed to providing additional cybersecurity education for its employees to prevent similar incidents. All 4,400 affected individuals were offered complimentary identity protection and credit monitoring services to mitigate potential misuse of their exposed personal information. The breach notification process occurred nearly three months after the initial discovery, reflecting the time required to complete forensic analysis and identify the specific data at risk.