Cyber Incident Victim: Critical Care, Pulmonary & Sleep Associates
Date:
Aug 2018
Location:
United States of America
Summary
An unauthorized individual compromised an employee email account at Critical Care, Pulmonary & Sleep Associates, using it to send phishing messages targeting contacts. The breach exposed personal and protected health information, including names, dates of birth, addresses, clinical details, insurance information, Social Security numbers, and driver’s license data, though electronic medical records and financial data remained unaffected. The organization secured its systems, initiated forensic investigations, enforced password resets, enhanced network access protocols, and provided complimentary credit monitoring to nearly 24,000 impacted individuals. Law enforcement was notified, and additional security training was implemented to prevent future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 23, 2018, Critical Care, Pulmonary & Sleep Associates (CCPSA) discovered unauthorized access to an employee’s email account, which was being used to send phishing emails to contacts in the employee’s address book seeking fraudulent financial payments. The Colorado-based medical practice immediately blocked further access, secured the compromised account, and initiated an investigation with assistance from a national forensic firm. The forensic investigation, concluded on December 14, 2018, determined unauthorized actors had accessed certain CCPSA email accounts between August 14 and November 23, 2018. CCPSA confirmed its electronic medical records platform remained uncompromised throughout the incident. A subsequent review of emails and attachments identified 23,377 individuals whose personal information was potentially exposed, though investigators could not definitively confirm whether data was viewed or copied by the threat actor.
The exposed information included full names, dates of birth, addresses, phone numbers, email addresses, clinical details (dates of service, diagnoses, lab results, medications, treatment notes), insurance information (member/group numbers, service costs), Social Security numbers, and driver’s license numbers. Credit and debit card information was not involved. CCPSA notified affected individuals via mail, reported the breach to law enforcement, and implemented immediate corrective measures including forced password resets for all employee accounts, modifications to network access protocols, and enhanced security rules within their IT environment. The practice mandated additional security awareness training for staff and offered impacted individuals one year of complimentary credit monitoring through TransUnion’s myTrueIdentity service, requiring enrollment by April 30, 2019. A dedicated call center operated by Epiq was established to address patient inquiries. CCPSA also notified major credit bureaus (Experian, Equifax, TransUnion) about the breach and advised patients to monitor financial statements, credit reports, and insurance explanations of benefits for unauthorized activity.