Cyber Incident Victim: Endeavor Energy Resources

On January 14, 2020, Endeavor Energy Resources, an oil and gas exploration and production company, discovered that an unauthorized party had potentially accessed protected health information through a phishing attack targeting an employee’s corporate Office 365 account earlier that same day. The compromised account contained unsecured protected health information, prompting an immediate investigation. By February 7, following a detailed review of the account, Endeavor confirmed the exposed data included names and health plan member ID numbers belonging to current and former employees of Endeavor and its affiliate companies, as well as dependents enrolled in the company’s health plan. The breach impacted 5,103 individuals, as reported to the U.S. Department of Health and Human Services (HHS). Endeavor notified all potentially affected parties in accordance with HIPAA’s Breach Notification Rule, though no evidence of misuse of the exposed information was identified at the time of disclosure.

Endeavor responded by implementing enhanced safeguards for protected health information and initiating an evaluation of additional security procedures to prevent similar incidents. The company established a dedicated incident response call center to address inquiries from affected individuals and provided media and general inquiry contacts through spokesperson Lacy Sperry. The breach underscored vulnerabilities in employee email security but did not disrupt broader corporate operations. Endeavor’s public statement emphasized its commitment to privacy and security while acknowledging the phishing scam’s success in compromising a single employee account. The incident highlighted the risks associated with targeted phishing attacks on personnel with access to sensitive health data, though no further exploitation of the stolen information was reported following containment efforts.