Cyber Incident Victim: Middlesex Hospital

In October 2015, Middlesex Hospital in Connecticut experienced a data breach stemming from a phishing campaign targeting its employees. On October 9, the hospital discovered that four employees had opened malicious emails, potentially exposing the personal information of 946 patients. The compromised data included patient names, addresses, dates of birth, medical record numbers, medication details, dates of service, and dates of diagnosis. Notably absent from the breach were Social Security numbers and direct access to complete medical records. The phishing attack specifically leveraged employee credentials through deceptive emails, though the exact nature of the malicious content or sender tactics remained unspecified in disclosures. The hospital confirmed the incident stemmed exclusively from this email-based compromise rather than broader system vulnerabilities or external network intrusions.

Middlesex Hospital responded by notifying all affected patients directly and offering each individual one year of complimentary credit monitoring services as a precautionary measure. While the institution publicly committed to implementing enhanced security measures to prevent recurrence, it did not detail specific technical, administrative, or training-related changes undertaken. The breach disclosure emphasized the absence of exposed Social Security numbers or comprehensive medical histories in mitigating potential harm to patients. No information surfaced regarding regulatory penalties, legal actions, or financial losses incurred by the hospital or impacted individuals. The incident remained confined to the initial phishing event without evidence of subsequent unauthorized access or data misuse traced to the compromised credentials.