Cyber Incident Victim: Sinai Health System
Date:
Dec 2019
Location:
United States of America
Summary
A Chicago-based healthcare provider experienced unauthorized access to two employee email accounts, potentially exposing patient information including names, addresses, dates of birth, Social Security numbers, health records, and insurance details. Forensic analysis found no evidence that data was removed, misused, or disseminated to unauthorized parties, though the organization engaged external experts to identify affected individuals. The provider implemented corrective measures such as password resets, employee training, enhanced email security protocols, and policy revisions to strengthen system protections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Sinai Health System, a Chicago-based healthcare provider serving approximately 1.5 million people through multiple hospitals and affiliated institutions, experienced a data security incident involving unauthorized access to two employee email accounts. The organization first detected a potential compromise and initiated an investigation, culminating in forensic IT experts confirming on October 16, 2019, that patient information might have been exposed due to this breach. The unknown third party gained access to the email accounts at an unspecified time prior to this discovery. Sinai engaged external specialists to analyze the scope and confirmed that while the intruder accessed the accounts, there was no evidence suggesting any extraction or removal of patient data from their systems. The investigation also found no indication that emails containing sensitive information were opened during the unauthorized access period, and Sinai publicly stated there was no misuse of patient data or evidence that information had circulated among unauthorized parties.
The potentially exposed data included patient names, addresses, dates of birth, Social Security numbers, health information, and health insurance details. Sinai undertook a review to identify affected individuals with assistance from external experts. In response to the incident, the organization implemented multiple corrective measures: resetting passwords for all employee email accounts, conducting enhanced cybersecurity training for staff, upgrading email filtering capabilities to detect malicious content, revising internal security policies, and collaborating with specialists to strengthen email system defenses. These actions aimed to prevent recurrence while maintaining operations across its facilities, which include Mount Sinai Hospital, Holy Cross Hospital, and Sinai Medical Group among others. The breach notification did not specify the number of impacted patients or the exact duration of unauthorized access but emphasized the absence of evidence regarding data misuse or systemic compromise beyond the two email accounts.