Cyber Incident Victim: UConn Health

On December 24, 2018, an unauthorized party gained access to multiple employee email accounts at UConn Health, a Connecticut-based academic medical center. The breach was discovered during a subsequent investigation, though the exact method of initial compromise was not publicly detailed. The incident exposed sensitive patient information stored within these email accounts, potentially affecting approximately 326,000 individuals. Compromised data included names, dates of birth, physical addresses, and limited medical information related to billing details and appointment records. A subset of approximately 1,500 individuals had their Social Security Numbers exposed through the breached accounts. UConn Health explicitly stated the incident did not involve unauthorized access to its core computer networks or electronic medical record systems, limiting the intrusion to specific email accounts.

UConn Health initiated a multi-phase response beginning with forensic analysis conducted by a specialized security firm to determine the breach's scope. Notification letters were mailed to all potentially affected individuals, advising them of the exposed data categories while acknowledging uncertainty regarding whether information was actually viewed or acquired by the attacker. The organization coordinated with law enforcement agencies but did not disclose specific investigative partners. Public statements emphasized no evidence of fraud or identity theft linked to the breach at the time of disclosure. Remediation efforts focused on securing the compromised email accounts, though technical controls implemented were not described in available reports. The breach disclosure occurred nearly two months post-incident on February 22, 2019, through UConn Health's official channels and subsequent media coverage.