Cyber Incident Victim: Summa Health

Summa Health, an Akron-based healthcare system, experienced a data breach involving unauthorized access to employee email accounts through phishing attacks. The incident occurred in two distinct periods: initially in August 2018 and again in March 2019. The health system discovered the compromise on May 1, 2019, nearly eight months after the first intrusion and approximately two months following the second incident. Investigation revealed that an unauthorized individual gained control of employee email accounts during these periods, potentially exposing patient information. Over 500 individuals had their medical records and personal data placed at risk due to this email account compromise. The breached information included sensitive patient details contained within the accessed email communications and attachments.

Summa Health initiated notification procedures on June 28, 2019, by sending letters to all affected patients regarding the potential exposure of their protected health information. The organization did not publicly specify whether the phishing attacks targeted specific departments or roles within the organization, nor did it disclose technical details about the phishing mechanisms used. The breach timeline indicates a prolonged period between initial intrusion (August 2018) and detection (May 2019), with a subsequent two-month investigation period before patient notifications. No evidence suggests encryption or other technical safeguards prevented access to the compromised email accounts. The health system's public disclosure emphasized the potential risk to patient data but did not report confirmed instances of identity theft or fraud stemming directly from the incident at the time of notification.