Cyber Incident Victim: Lafayette Regional Rehabilitation Hospital
Date:
Feb 2020
Location:
United States of America
Summary
Lafayette Regional Rehabilitation Hospital experienced two phishing-related breaches compromising patient information via unauthorized access to employee email accounts. The first incident involved delayed discovery and notification, prompting reinforced employee training and enhanced security measures, but a subsequent phishing attack occurred shortly thereafter, exposing names, dates of birth, treatment details, and some Social Security numbers. The second breach was detected significantly faster than the initial one, though notifications for both incidents affected thousands of patients.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Lafayette Regional Rehabilitation Hospital in Indiana experienced two separate phishing-related breaches affecting patient information within a short timeframe. The first incident occurred in July 2019 when an unauthorized individual gained access to an employee's email account containing protected health information. The hospital discovered this breach on November 25, 2019, nearly four months after the initial compromise. Notifications were sent to 1,360 patients on January 24, 2020, disclosing that accessed information included names, dates of birth, treatment details, and in some cases Social Security numbers. While implementing enhanced security measures and retraining staff following this incident, the hospital faced a second phishing attack beginning February 3, 2020. Unauthorized access to another employee's email account persisted until February 8, 2020, with the hospital detecting the breach on February 10 - significantly faster than the previous incident's discovery timeline.
The second breach exposed similar categories of sensitive patient data, including names, birth dates, treatment information, and select Social Security numbers. Notification letters for this subsequent incident began distribution on April 10, 2020, though the total number of affected patients remained unspecified as the breach had not yet appeared on HHS's public breach portal at the time of reporting. The hospital's public statements indicated both incidents stemmed from employee email account compromises via phishing techniques. Following the initial breach, organizational responses included reinforced cybersecurity training for staff and implementation of upgraded security tools. The recurrence of a nearly identical attack methodology within weeks of the first breach's public disclosure suggested potential gaps in the effectiveness or completion timeline of these remedial measures. Detection improvements were evidenced by the reduced time between compromise discovery (seven days versus four months), though both incidents resulted in substantial patient data exposure requiring regulatory notifications.