Cyber Incident Victim: University of Vermont Health Network
Date:
May 2017
Location:
United States of America
Summary
The University of Vermont Health Network experienced a phishing incident where an unauthorized third party accessed an employee’s email account, potentially compromising patient information. Exposed data included names, addresses, dates of birth, medical record numbers, clinical details such as diagnoses and treatments, physicians’ names, and medications, though Social Security numbers and financial information were unaffected. Approximately 2,300 patients were impacted by the breach. The organization disabled the compromised account, initiated an investigation, and notified affected individuals while establishing a dedicated call center for inquiries. Additional security measures and staff education were implemented following the incident to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 24, 2017, the University of Vermont Medical Center discovered that an unauthorized third party had gained access to an employee’s email account two days earlier, on May 22, 2017. The organization immediately disabled the compromised email account and initiated an investigation to determine the scope and nature of the incident. The investigation confirmed that a single email within the account contained protected patient information, though there was no evidence that any data had been misused or exfiltrated. The exposed information included patient names, addresses, dates of birth, medical record numbers, and clinical details such as diagnoses, treatment plans, physicians’ names, and prescribed medications. Notably, the investigation confirmed that Social Security numbers and financial data—including bank account or credit card information—were not present in the affected email account. The breach impacted approximately 2,300 patients of the UVM Medical Center, with no indication that other systems or accounts beyond the single employee email were compromised.
The medical center began notifying all affected patients via mailed letters starting July 21, 2017, and established a dedicated call center operational Monday through Friday from 9 a.m. to 9 p.m. Eastern Time to address patient inquiries. Individuals who believed they might be impacted but did not receive a notification letter by August 22, 2017, were instructed to contact the call center at 800-383-5522. In response to the incident, the organization implemented additional security measures to strengthen its email systems and conducted reinforced staff training to emphasize protocols for safeguarding patient information. The medical center publicly expressed regret for any concern or inconvenience caused to patients and reiterated its commitment to protecting confidential health data. No further details regarding the specific phishing methodology, duration of account access prior to detection, or identity of the threat actor were disclosed in the provided notification.