Cyber Incident Victim: Clinivate
Date:
Mar 2022
Location:
United States of America
Summary
A healthcare organization experienced unauthorized access to its electronic health record system, compromising sensitive personal and medical information including names, Social Security numbers, medical records, treatment details, diagnoses, and payment data. The breach was discovered following detection of unusual network activity, prompting an investigation that confirmed system compromises and data access over a multi-day period. Affected individuals were notified months later and offered identity monitoring services through a third-party provider. The organization implemented enhanced security measures and reported the incident to federal law enforcement authorities, cooperating with potential investigations while providing guidance to impacted parties on protecting their information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Clinivate, a Pasadena-based company, detected unusual activity within its digital ecosystem in March 2022, prompting an internal investigation. The organization engaged an independent digital forensics firm to assist in assessing the breach's scope and origin. By May 2022, investigators confirmed specific systems and files had been compromised, with evidence of unauthorized access occurring between March 12 and March 21, 2022. This nine-day window represented the active period of data exposure within Clinivate's electronic health record system. The company delayed public notification until July 22, 2022, when it began sending breach disclosure letters to potentially affected individuals.
The compromised data included highly sensitive protected health information such as full names, Social Security numbers, medical record numbers, and health plan beneficiary numbers. Clinical details including treatment information, diagnosis data, and payment-related records were also exposed. In response, Clinivate implemented enhanced security measures across its infrastructure to prevent recurrence of similar incidents. The company formally notified the Federal Bureau of Investigation and pledged full cooperation with any subsequent law enforcement investigations. Affected individuals received guidance on protecting their personal information, with IDX—a data security and recovery services provider—offering complimentary identity monitoring and protection services to eligible recipients. The breach notification occurred over four months after initial detection and nearly two months after confirmation of compromised systems.