Cyber Incident Victim: University of Maryland School of Medicine
Date:
Jan 2017
Location:
United States of America
Summary
A physician assistant's email account at an affiliate of the University of Maryland School of Medicine was compromised, exposing personal information of approximately 1,500 patients. The breach occurred within the orthopedics practice of the University of Maryland Faculty Physicians Inc., prompting mailed notifications to affected individuals regarding unauthorized access to their protected health data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around January 13, 2017, a physician assistant’s email account at the University of Maryland Faculty Physicians Inc. (FPI), an entity affiliated with the University of Maryland School of Medicine, was compromised by an unauthorized actor. The breach exposed personal information belonging to patients treated within FPI’s orthopedics practice. The incident involved direct hacking of the email account, though the specific intrusion method and duration of unauthorized access were not publicly disclosed. Approximately 1,500 patients were affected by the exposure of their data, which was stored within the compromised email account. FPI, which operates as the clinical practice plan for the university’s medical faculty, did not specify the types of patient information involved but confirmed the email contained identifiable personal details. The breach was confined to a single email account and did not extend to broader electronic health record systems or other institutional networks. No evidence suggested misuse of the exposed data at the time of disclosure.
FPI responded by mailing individual notification letters to all affected patients on or shortly before January 13, 2017, as confirmed in a public news release. The letters informed recipients of the breach and the potential exposure of their information but did not outline additional remedial measures such as credit monitoring services. The organization did not disclose whether it implemented enhanced email security protocols, conducted forensic audits, or reported the incident to regulatory authorities beyond patient notifications. The incident impacted a discrete subset of patients within the orthopedics specialty, with no indication of broader compromise across other FPI departments or university medical facilities. Patient data exposure was limited to information stored in the targeted email account, though the breach raised concerns about email security practices for handling sensitive health information. FPI’s public communications provided no further updates regarding investigation outcomes or long-term mitigation efforts beyond the initial disclosure.