Cyber Incident Victim: Catholic Hospice

On December 1, 2021, Catholic Health Services discovered unauthorized access to three employee email accounts at its Miami Lakes, FL-based Catholic Hospice division. The organization engaged a third-party computer forensics firm to investigate the security incident. The forensic analysis confirmed that attackers had compromised the email accounts, which contained sensitive personal and protected health information. Exposed data included patient and employee names, addresses, and demographic information combined with one or more of the following elements: Social Security numbers, medical treatment history, diagnostic information, and other health-related records. The breach investigation did not specify the exact duration of unauthorized access or the initial intrusion method used by the attackers.

Catholic Health Services formally reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights as affecting 14,986 individuals. The organization initiated notification letters to all affected parties, detailing the types of exposed information specific to each recipient. As remediation, Catholic Health Services offered complimentary credit monitoring and identity theft protection services to breach victims, including a $1,000,000 identity theft insurance policy. No evidence of actual misuse of the stolen data was confirmed at the time of reporting. The organization completed breach notifications and mitigation offerings according to regulatory requirements following the December 2021 discovery date.