Cyber Incident Victim: San Juan Regional Medical Center
Date:
Sep 2020
Location:
United States of America
Summary
San Juan Regional Medical Center experienced unauthorized network access resulting in the removal of personal and protected health information over a two-day period. The compromised data included names, Social Security numbers, financial account details, health insurance information, medical records, and other identifiers, though not all patients or data types were uniformly affected. Following forensic investigation and manual document review, the organization notified impacted individuals through multiple notification rounds after confirming the scope. While no evidence of data misuse was found, the institution implemented enhanced network security measures and procedural improvements to mitigate future threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
San Juan Regional Medical Center (SJRMC) detected unauthorized access to its network on September 8, 2020, prompting immediate action to secure the network and mitigate further harm. A forensic investigation revealed that an unauthorized individual had removed information from the network during a two-day period spanning September 7-8, 2020. The manual review of the compromised files, completed on July 13, 2021, confirmed the presence of personal and protected health information belonging to certain patients. The impacted data included names, dates of birth, Social Security numbers, driver’s license numbers, passport information, financial account numbers, health insurance details, and medical information such as diagnoses, treatments, medical record numbers, and patient account numbers. The breach did not affect all SJRMC patients, and the scope of compromised information varied among individuals. SJRMC found no evidence of misuse of the stolen data during its investigation. Due to the extensive time required to manually review the affected files, the organization conducted two notification rounds—one in June 2021 and another in September 2021—to inform impacted individuals for whom physical addresses could be verified.
In response to the incident, SJRMC established a dedicated toll-free call center and implemented a notification process through website announcements and mailed letters. The medical center offered complimentary credit monitoring services specifically to individuals whose Social Security numbers were exposed in the breach. Affected patients received guidance to monitor financial accounts, credit reports, and insurance statements for unauthorized activity, with instructions provided for placing fraud alerts or security freezes through the three major credit bureaus. SJRMC emphasized ongoing enhancements to its network security protocols and internal procedures to address evolving cybersecurity threats, including regular assessments and policy updates designed to prevent similar incidents. The organization maintained its commitment to safeguarding patient information while acknowledging the challenges posed by increasingly sophisticated cyber threats, implementing these measures as part of a comprehensive response strategy following the forensic investigation’s conclusions.