Cyber Incident Victim: Metrocare Services
Date:
Aug 2018
Location:
United States of America
Summary
Metrocare Services experienced a breach when unauthorized actors accessed employee email accounts, potentially compromising personal and health information of 1,804 individuals. The exposed data included names, dates of birth, health insurance details, driver’s license numbers, medical service records, and some Social Security numbers. The organization secured affected accounts, initiated an investigation, and notified impacted parties while offering credit monitoring to those with exposed Social Security numbers. Additional security enhancements to email systems and employee training were implemented following the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 4, 2018, Metrocare Services discovered unauthorized third-party access to several employee email accounts, with the intrusion beginning on August 2, 2018. The organization immediately secured the compromised accounts and initiated an investigation to determine the scope and impact. Forensic analysis confirmed the unauthorized access occurred but could not definitively establish whether emails containing protected health information were viewed or exfiltrated. The investigation revealed that affected email accounts contained sensitive data belonging to 1,804 individuals who had received services through Metrocare. Exposed information included full names, dates of birth, health insurance details, driver's license numbers, and treatment-related health information. For some patients, Social Security numbers were also present in the breached email accounts. The two-month gap between initial compromise and detection allowed potential exposure of communications spanning clinical operations and administrative functions.
Metrocare began notifying affected patients and the U.S. Department of Health and Human Services on November 1, 2018, exactly two months after discovering the breach. Notification letters outlined the types of exposed data and offered complimentary credit monitoring and identity protection services to individuals whose Social Security numbers were involved. The organization established a dedicated call center operational weekdays from 8 AM to 5 PM Central Time to address patient inquiries, with instructions to contact the center by November 25 if notification letters hadn't been received. Patients were advised to scrutinize healthcare statements for unauthorized services. In response to the incident, Metrocare implemented enhanced email security controls and expanded information security training for staff to reduce future risks, though specific technical measures weren't disclosed. The breach exposed vulnerabilities in email account protections affecting both administrative and clinical support personnel.