Cyber Incident Victim: Jacobson Memorial Hospital & Care Center

On July 28, 2020, Jacobson Memorial Hospital & Care Center experienced a security incident involving the compromise of a single employee’s email account. The unauthorized actor used this account to distribute spam emails externally. The hospital detected the intrusion and successfully terminated the attacker’s access to their systems by August 5, 2020. Following containment, the organization engaged a third-party forensic firm to investigate the scope of the breach. The forensic analysis concluded on August 25, 2020, confirming that only the one email account had been compromised. To assess potential data exposure, the hospital then contracted a separate vendor to conduct a specialized review of the compromised account’s contents for protected health information (PHI) and personally identifiable information (PII). This vendor completed its automated search on September 27, 2020.

The hospital subsequently initiated a manual review of emails identified during the automated search to verify the presence and context of sensitive data. This process concluded on December 31, 2020, when the hospital received final confirmation of affected individuals. Notification letters were dispatched to 1,545 patients on February 23, 2021—approximately seven months after initial breach detection and two months after completing the manual review. While the hospital’s external counsel presented the notification timeline as compliant with the 60-day regulatory window from the December 31 discovery date, external analysis noted the six-month gap between the July 28 breach identification and patient notifications. The incident exposed patient PHI contained within the compromised email account but did not involve broader system infiltration beyond the single account. No specific details regarding data categories or attacker identity were disclosed in available reporting.