Cyber Incident Victim: Allwell Behavioral Health Services
Date:
Mar 2022
Location:
United States of America
Summary
An unauthorized individual gained access to email accounts of physicians and general practitioners at BJC HealthCare, compromising protected health information. The breach exposed names, dates of birth, medical records, clinical details, and, in some cases, health insurance information, driver's license numbers, and Social Security numbers. BJC HealthCare offered complimentary credit monitoring and identity theft protection services to those affected. The investigation confirmed unauthorized access but couldn't determine if data was viewed or copied.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
BJC HealthCare, a non-profit healthcare organization based in St. Louis, Missouri, experienced a security incident involving unauthorized access to a limited number of physician and general practitioner email accounts between March 4 and March 28, 2022. The organization initiated a forensic investigation to determine the nature and scope of the breach, though the analysis could not confirm whether emails or attachments within the compromised accounts were viewed or copied by the threat actor. A subsequent review of the affected accounts confirmed the presence of protected health information, including patient names, dates of birth, medical record numbers, clinical details such as diagnosis and treatment information, provider names, and treatment locations. A subset of impacted individuals also had additional sensitive data exposed, including health insurance details, driver’s license numbers, and Social Security numbers. BJC HealthCare began notifying affected patients following the investigation and offered complimentary credit monitoring and identity theft protection services to those whose Social Security numbers or driver’s license numbers were involved. The organization did not publicly disclose the total number of affected individuals, as the incident had not been listed on the HHS Office for Civil Rights breach portal at the time of the article’s publication on May 31, 2022.
In a separate but similarly structured incident, Cooper University Health Care based in Camden, New Jersey, disclosed that an unauthorized individual accessed an employee email account on November 24, 2021. The breach was detected on December 13, 2021, and the forensic investigation concluded on May 10, 2022. The compromised account contained patient information such as names, dates of birth, medical professional names, diagnosis and treatment details, billing and claims data, and medical record numbers. Cooper University Health Care stated that no evidence of actual or attempted misuse of patient data had been identified at the time notification letters were issued. Like BJC HealthCare, Cooper did not provide specific figures regarding the number of affected individuals, as the incident had not yet appeared on the HHS breach portal. Both organizations emphasized their commitment to reviewing security protocols and enhancing safeguards to prevent future incidents, though neither disclosed specific technical measures implemented in response.