Cyber Incident Victim: Hunt Memorial Hospital District
Date:
May 2018
Location:
United States of America
Summary
Hunt Memorial Hospital District experienced a security incident involving unauthorized access to an employee's email account within its Home Health system, potentially exposing patient protected health information. The breach occurred when an intruder compromised the account and sent emails internally, though no confirmed data misuse was identified. The organization notified potentially affected patients, offered complimentary identity theft protection services including credit monitoring and insurance coverage, and reported the incident to law enforcement. Security protocols were reviewed and reinforced with employee retraining to prevent future occurrences, while existing administrative and technical safeguards were maintained.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 1, 2018, Hunt Memorial Hospital District ("Hunt") discovered unauthorized access to its Home Health email system through a compromised employee account. The intruder sent an email to certain internal users from the breached account, though this communication did not contain protected health information (PHI). Hunt could not definitively determine whether the attacker accessed PHI or personal data during their time in the system, as the compromised account had access to information belonging to Home Health patients. The hospital district promptly engaged law enforcement, reporting the incident to the FBI and pledging full cooperation with their investigation. No evidence suggested patient data was exfiltrated or misused, and Hunt stated there was no indication of elevated identity theft risk for affected individuals.
Hunt began notifying potentially impacted patients via mailed letters in June 2018, offering complimentary identity protection services through ID Experts’ MyIDCare program. This included 12 months of credit monitoring, a $1,000,000 insurance reimbursement policy, educational resources, and fully managed identity theft recovery services. The organization emphasized that existing administrative, physical, and technical safeguards were in place prior to the breach but undertook additional remedial actions post-incident. These measures included policy and procedure reviews, employee retraining on credential security, and ongoing assessments of privacy and security controls. Hunt expressed regret for any inconvenience caused and directed patients to a dedicated assistance line (888-813-7480) for questions. The incident remained confined to the Home Health email system, with no reported operational disruptions or broader network compromise.