Cyber Incident Victim: Oswego Health
Date:
Jun 2020
Location:
United States of America
Summary
Oswego Health experienced unauthorized access to an employee email account over several days, potentially exposing patient information. The compromised account was used to send an email containing a link to a malicious site, with a subject line referencing a patient number. The health system discovered the incident but delayed notifying affected patients for over three months, exceeding HIPAA's required notification timeframe. While the breach investigation confirmed potential data exposure, specifics regarding the number of impacted individuals or the full scope of compromised information were not publicly disclosed. No official notice appeared on the organization's website or federal breach reporting portals at the time of initial reports.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Oswego Health experienced a potential exposure of patient data stemming from unauthorized access to an employee email account between June 11 and June 15, 2020. The health system detected the compromise on June 16, 2020, when an external attacker used the compromised account to send an email containing a link to a potentially malicious site. The email’s subject line read “[secure] pt # 18337,” suggesting an attempt to impersonate legitimate communications. Becker’s Hospital Review first publicly reported the incident on June 17, 2020, noting the attacker was not affiliated with Oswego Health. The health system initiated an investigation but did not disclose the timeline or methodology of its discovery process. Patient data within the email account was potentially exposed, though the specific types of information at risk were not detailed in available sources. Oswego Health confirmed the incident involved only one employee’s email account, limiting the scope to communications and attachments accessible through that single vector.
Oswego Health notified affected patients via letters dated September 30, 2020—approximately 3.5 months after detecting the incident. This notification delay exceeded HIPAA’s 60-day requirement for reporting breaches of protected health information, though the health system did not publicly explain the reason for the lag. The organization’s notification letter cited “potential unauthorized access” but provided no specifics about whether data was actually misused or exfiltrated. As of June 16, 2020, when DataBreaches.net published its analysis, Oswego Health had not responded to media inquiries, posted a public notice on its website, or listed the incident on the U.S. Department of Health and Human Services’ breach portal. The lack of public documentation left the total number of affected patients undisclosed and raised questions about compliance with regulatory disclosure standards. No additional containment measures, forensic findings, or post-incident actions were disclosed in available reports.