Cyber Incident Victim: Episcopal Health Services
Date:
Aug 2018
Location:
United States of America
Summary
Episcopal Health Services experienced unauthorized access to employee email accounts over a period, discovered during an investigation into suspicious activity. The compromised accounts contained protected health and personal information, including Social Security numbers, dates of birth, financial account details, medical histories, treatment information, and health insurance data, with varying impacts per individual. After identifying affected parties through forensic review, the organization notified individuals in multiple phases due to incomplete address records and duplicates uncovered during extended analysis. Credit monitoring and identity theft protection services were offered to potentially impacted individuals, alongside guidance on fraud alerts and credit freezes. A dedicated call center was established to address inquiries related to the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Episcopal Health Services detected suspicious activity within employee email accounts on September 18, 2018, prompting an immediate investigation with third-party forensic specialists. The investigation revealed unauthorized access to certain employee email accounts between August 28, 2018, and October 5, 2018. A review of these accounts confirmed the presence of protected health information and personal data, though the organization reported no known attempted or actual misuse of the compromised information at the time. On November 1, 2018, Episcopal Health Services concluded that the breached accounts contained sensitive details including Social Security numbers, dates of birth, financial account information, medical histories, prescription records, medical record numbers, treatment or diagnosis details, and health insurance policy numbers, with the specific data elements varying per individual. Notification letters were mailed starting November 15, 2018, to affected individuals for whom postal addresses were available.
Continued review of the compromised email accounts led to a second determination on February 26, 2019, identifying additional accounts containing protected information. Challenges arose in notifying these newly identified individuals due to incomplete address data and duplicate entries in the vendor-provided list. Episcopal Health Services conducted an internal review to resolve these issues, completing the process by March 19, 2019, and subsequently mailing a second round of notification letters. The organization offered one year of complimentary credit monitoring and identity theft protection services to all potentially impacted individuals. A dedicated call center (1-866-775-4209) was established to address inquiries, operating Monday through Friday during Eastern Time business hours. Affected parties were advised to monitor financial statements, credit reports, and insurance explanations of benefits for suspicious activity, with guidance provided on contacting major credit bureaus (Equifax, Experian, TransUnion) and the Federal Trade Commission for fraud alerts or security freezes.