Cyber Incident Victim: Navicent Health
Date:
Jul 2019
Location:
United States of America
Summary
Navicent Health experienced a cyber attack targeting employee email accounts, discovered in mid-summer. The unauthorized access potentially compromised patient names, dates of birth, addresses, limited medical and billing details, and some Social Security numbers. While forensic investigation confirmed no impact on core networks or electronic medical records, the organization could not definitively rule out data exposure. Notification letters were sent to affected individuals, offering free identity theft protection services for those with exposed Social Security numbers. Law enforcement was engaged, and no fraud or identity theft linked to the incident had been identified at the time of disclosure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Navicent Health, a major healthcare provider in Middle Georgia, experienced a cyber attack targeting its email system during the summer of 2019. The organization became aware of the incident in July 2019 and immediately initiated a security investigation. Law enforcement was notified, and external forensic security firms were engaged to assist with the inquiry and assess the integrity of the email and computer systems. The investigation confirmed the breach was limited to employee email accounts, with no compromise of the organization’s broader computer networks or electronic medical record systems. By January 24, 2019, Navicent Health determined the impacted email accounts contained patient personal information, including names, dates of birth, addresses, and limited medical details such as billing and appointment records. Social Security numbers were also present in some affected accounts. The organization acknowledged it could not definitively ascertain whether the unauthorized party had viewed or acquired any data, as forensic analysis could not isolate specific information accessed during the breach.
Navicent Health began mailing notifications to potentially impacted patients with valid addresses in early 2019, over six months after the initial discovery. The notices outlined protective measures individuals could take, including credit monitoring and reviewing account statements for suspicious activity. Free identity theft protection services were offered to those whose Social Security numbers were potentially exposed. The healthcare provider emphasized it had no evidence of fraud or identity theft stemming from the incident at the time of disclosure. Internal response efforts included evaluating enhanced staff training programs and reviewing technical security controls to prevent future breaches. A dedicated call center was established to address patient inquiries, operational Monday through Friday during specified hours. The organization reiterated its commitment to safeguarding personal information and apologized for any inconvenience caused by the incident.