Cyber Incident Victim: Healthgrades
Date:
Oct 2020
Location:
United States of America
Summary
An unauthorized individual accessed Healthgrades Operating Company's archived server, compromising historical patient data from a medical center that previously utilized their services. The exposed information included names, addresses, demographic details, Social Security numbers, medical record numbers, treatment codes, insurance information, and limited health data. Healthgrades notified the affected medical center after discovering the breach, confirming the incident was isolated to their own systems and did not involve the healthcare provider's internal networks. Law enforcement was engaged, and the vendor assured no residual patient data remained on their systems. While no misuse of information has been detected, impacted individuals were offered complimentary credit monitoring services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 16, 2020, an unauthorized individual gained access to an archived server maintained by Healthgrades Operating Company, Inc., a former vendor of Lexington Medical Center (LMC). The intrusion persisted until October 28, 2020, though LMC was not notified of the incident until January 29, 2021, when Healthgrades completed its investigation. The compromised server contained backup files with LMC patient information dating from mid-2010 to mid-2011, a period during which Healthgrades provided patient education and community outreach services for the medical center. Healthgrades confirmed the exposed data included patient names, addresses, demographic details, contact information, dates of birth, LMC medical record numbers, Social Security numbers, dates of service, and patient type classifications. Additional compromised fields encompassed treatment codes, billing codes with descriptions (potentially indicating diagnoses), physician names and specialties, guarantor names, insurance types, insurance providers, and treatment cost information. The breach was confined to Healthgrades' archived systems and did not involve LMC's internal networks or electronic health records. LMC initiated its own review upon notification and verified that no current patient data was being transmitted to Healthgrades at the time of discovery.
Lexington Medical Center mailed notification letters to affected patients on March 26, 2021, approximately five months after the intrusion period and two months after being alerted by Healthgrades. The hospital established a dedicated call center operational on weekdays from 9:00 AM to 6:30 PM Eastern Time to address patient inquiries. Impacted individuals were offered complimentary identity theft protection and credit monitoring services through enrollment instructions included in the notification correspondence. Healthgrades reported the incident to law enforcement and cooperated with subsequent investigations while assuring LMC that all archived patient data had been purged from their systems. LMC conducted internal audits confirming the cessation of data transfers to the vendor. No evidence of data misuse was identified during the investigation period. The medical center advised patients to review healthcare statements for unauthorized services but emphasized that the breach originated exclusively within Healthgrades' infrastructure without compromising LMC's operational security.