Cyber Incident Victim: CHI St. Luke's Health-Memorial Lufkin
Date:
Mar 2020
Location:
United States of America
Summary
CHI St. Luke’s Health-Memorial Lufkin experienced a security incident involving unauthorized access to two employee email accounts containing patient information, discovered during an earlier server investigation. The potentially exposed data included names, diagnoses, treatment dates, and facility account numbers, though no evidence confirmed actual viewing or misuse of the information. The organization initiated an internal and forensic investigation, engaged law enforcement, and implemented corrective measures such as password resets, hardware replacements, software upgrades, and revised network access protocols. While electronic health records remained unaffected, notifications were sent to potentially impacted individuals, who were offered access to a dedicated call center and complimentary credit monitoring services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 25, 2020, CHI St. Luke’s Health-Memorial Lufkin became aware of a security event involving one of its servers, prompting an investigation. During this investigation, the organization discovered on April 23, 2020, that an unapproved third party had potentially accessed patient information contained within two employee email accounts. While no evidence confirmed that the unauthorized actor viewed or obtained the data, the hospital could not definitively rule out the possibility of access. The compromised information included patients’ names, diagnoses, dates of services, and facility account numbers. Electronic health records systems were not involved in the incident. The hospital initiated an internal investigation through its threat management team and engaged forensic vendors to analyze the breach. Investigative steps included reviewing data and access logs, conducting threat intelligence analysis, interviewing employees, and examining various data file types to assess potential data exposure. No evidence indicated misuse of patient information or access to additional data categories beyond those specified.
CHI St. Luke’s Health-Memorial Lufkin implemented multiple corrective measures following the discovery, including resetting passwords across the facility, replacing and upgrading hardware, modifying software configurations, and altering network access procedures. The organization collaborated with law enforcement and forensic experts to confirm network security and prevent recurrence. Notifications were sent to potentially affected individuals and regulators as a precautionary measure. A dedicated call center operated by Kroll was established to address patient inquiries, with support available on weekdays excluding major U.S. holidays. Impacted individuals were offered complimentary Experian credit monitoring for up to one year. The hospital emphasized its commitment to protecting patient data integrity and advised vigilance regarding financial statements and credit reports, directing patients to FTC resources for additional guidance on safeguarding personal information.