Cyber Incident Victim: Jefferson Health
Date:
Nov 2021
Location:
United States of America
Summary
Jefferson Health experienced unauthorized access to an online health insurance billing portal, where an attacker attempted to divert wire payments and obtained a remittance sheet containing names, partial birth dates, service dates, treatment codes, and costs for approximately 8,714 patients across two affiliated hospitals. No Social Security numbers, insurance details, or financial account information were compromised in the incident. The organization notified affected individuals and initiated security protocol reviews following the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 18, 2021, unauthorized individuals gained access to an online health insurance portal utilized by Jefferson Health for submitting billing information to facilitate payment processing. The attackers exploited this access to attempt the diversion of wire payments intended for Jefferson Health. The breach was detected by Jefferson Health on November 22, 2021, during which investigators confirmed the attackers had acquired a remittance sheet containing billing information. This document impacted 5,239 patients of Thomas Jefferson University Hospital and 3,475 patients of Abington Memorial Hospital. Compromised data included patient names, month and year of birth, dates of service, treatment codes, and associated treatment costs. No evidence indicated exposure of Social Security numbers, health insurance details, financial account information, or clinical treatment records beyond the billing-related elements. The portal intrusion and subsequent payment diversion attempt constituted the primary malicious activity.

Jefferson Health initiated notification letters to all affected individuals following confirmation of the breach scope. The organization concurrently launched a review of its security protocols with stated intentions to implement enhancements to prevent similar incidents. Forensic analysis confirmed the attacker’s access was limited to the billing portal and the exfiltrated remittance sheet. No additional systems or databases beyond this portal were confirmed as compromised. Jefferson Health did not report evidence suggesting misuse of the accessed data prior to containment. The incident remained confined to billing information without spillover into clinical records or sensitive identifiers. Response efforts focused on breach notification, internal security assessments, and procedural adjustments to payment verification workflows.
