Cyber Incident Victim: El Camino Health
Date:
Sep 2021
Location:
United States of America
Summary
El Camino Health faced a potential data breach involving patient information allegedly stolen via a phishing attack targeting an employee, which enabled unauthorized network access over an extended period. The attacker reportedly bypassed multi-factor authentication, created a backdoor, and exfiltrated data including patient names, medical record numbers, dates of birth, addresses, and physician details, though Social Security numbers were not included. The organization, unaware of the incident until external inquiries, launched an investigation with third-party experts and confirmed no ongoing system compromise. While a dark web listing claimed millions of records, the health system verified and notified 14 patients whose specific medical imaging data was definitively linked to the incident, though the total scope and whether the data originated directly from their systems or a vendor remains under investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2021, an El Camino Health employee fell victim to a phishing attack that enabled unauthorized access to the organization's network. The attackers initially faced resistance when their access attempts were blocked, but after repeated efforts, the employee accepted a multi-factor authentication (MFA) prompt, granting the threat actors entry. Once inside, the attackers exploited vulnerabilities to move laterally within the network and established a persistent backdoor that bypassed future MFA requirements. This access reportedly remained undetected until January 2023, with the intruders allegedly amassing over four million records containing patient names, medical record numbers (MRNs), dates of birth, addresses, and phone numbers—though no Social Security numbers were included. Evidence of this breach surfaced on February 22, 2023, when an unknown actor posted samples of patient data on an obscure online platform, claiming the information originated from El Camino Health. The samples contained identifiable patient information from August 2022 and other dates between 2021 and January 2023, including physician names and dates of service. The poster later removed the listing after claiming to have sold the full dataset, though a subsequent BreachForums post by a similarly named user in March 2023 appeared to re-offer the same data.
El Camino Health initiated an investigation on February 23, 2023, after being alerted to the claims by DataBreaches.net, having had no prior awareness of any security incident. The organization engaged third-party cybersecurity experts to assess their systems and determine the data's origin. While investigators found no evidence of ongoing network compromise, they confirmed the exposure of 14 medical imaging patients' names, MRNs, associated physician names, and service dates. On March 15, 2023, El Camino notified these confirmed patients about the incident and provided protective guidance, while also fulfilling state regulatory reporting obligations. The health system maintained normal operations throughout the investigation and emphasized that patient care remained unaffected. The scope of potentially compromised data remains under active investigation, with El Camino committing to additional notifications if evidence confirms further unauthorized access to protected health information from their systems or affiliated vendors. The organization's interim public statement acknowledged the ongoing efforts to verify the breach's origin and full impact while continuing forensic examinations.