Cyber Incident Victim: @Compl3x1ty
Date:
Feb 2015
Location:
United States of America
Summary
A cybersecurity incident involving a medical group's outdated file-sharing application was disclosed via Twitter by @Compl3x1ty, revealing unauthorized access through SQL injection. The breach exposed 98 usernames, MD5-hashed passwords, and email addresses from a legacy system used by Lutheran Health Network's staff for non-patient documents. Following notification challenges due to invalid contact information, the organization confirmed the compromised data was historical and unrelated to current patient records. The affected application, inactive for an extended period, was fully decommissioned by removing associated databases and files to eliminate future risks. The incident underscored the importance of maintaining accessible security contact channels for external vulnerability reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 14, 2015, cybersecurity researchers operating under the Twitter handles @DeleteSec and @DerpLaughing publicly disclosed a data dump involving St. Joseph Medical Group, part of Lutheran Health Network. The incident gained wider attention when Twitter user @Compl3x1ty subsequently announced the breach, prompting DataBreaches.net to investigate. Analysis of the dumped data revealed 98 compromised records containing staff usernames, MD5-hashed passwords, and email addresses obtained through an SQL injection attack targeting the medical group's web infrastructure. The attackers exploited vulnerabilities in a legacy file-sharing application hosted on stjoemedicalgroup.com, which had been created years prior to mainstream cloud storage solutions like Dropbox. Initial attempts to notify Lutheran Health Network about the exposure proved challenging due to inadequate contact information on their website and non-functional phone numbers listed in domain registration records, delaying formal notification until DataBreaches.net successfully reached a technical contact via email.
Lutheran Health Network's webmaster confirmed on April 24, 2015 that the compromised data represented historical records from a deprecated internal file-sharing system inactive for several years. The credentials provided access only to non-patient-related documents with no sensitive health information exposed. Forensic examination determined the SQL injection attack did not penetrate core medical systems or patient databases. In response, network administrators completely removed all database tables and associated files linked to the obsolete application to prevent future exploitation. The organization acknowledged the breach notification efforts while emphasizing the limited operational impact given the application's discontinued use and non-clinical nature of exposed data. Public disclosure occurred two months after the initial data dump through coordinated researcher communications across multiple social media platforms.