Cyber Incident Victim: MEDNAX Services, Inc.
Date:
Jun 2020
Location:
United States of America
Summary
MEDNAX Services experienced a cybersecurity incident involving unauthorized access to certain Microsoft Office 365-hosted business email accounts through phishing. The breach potentially exposed sensitive patient information, including contact details, Social Security numbers, financial account data, health insurance specifics, medical treatment records, and billing information, though not all data fields were confirmed as compromised for every individual. The organization conducted an investigation but could not definitively determine whether personal information was accessed by the unauthorized party. Affected individuals were offered identity monitoring services, though the total number of impacted patients remains undisclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 19, 2020, MEDNAX Services, Inc., a Florida-based provider of revenue cycle management and administrative services to physician groups, discovered unauthorized access to certain Microsoft Office 365-hosted business email accounts. The breach resulted from a phishing attack that compromised employee credentials, enabling the third party to infiltrate the accounts between June 17 and June 22, 2020. MEDNAX initiated an investigation following the discovery but could not conclusively determine whether the intruder accessed or exfiltrated personal information during the four-day window. The forensic analysis, completed in late November 2020, identified individuals whose data resided in the compromised accounts at the time of the incident. The exposed information potentially included patient contact details (names, addresses, dates of birth), Social Security numbers, driver’s license or state ID numbers, financial account information, health insurance specifics (policy numbers, deductibles, subscriber IDs), medical treatment records (diagnoses, prescriptions, physician names, medical record numbers), and billing-related documents such as claims and invoices. MEDNAX emphasized that not all data fields applied uniformly to every affected individual.
The company began notifying potentially impacted patients after completing its analysis, submitting a copy of the notification template to the California Attorney General’s Office. While the breach stemmed from compromised email accounts rather than direct attacks on medical systems, the breadth of exposed data posed significant risks, including identity theft and medical fraud. MEDNAX offered complimentary identity monitoring services to affected individuals as a remedial measure. As of the article’s publication date, the incident did not appear on the U.S. Department of Health and Human Services’ public breach portal, suggesting that either MEDNAX or its physician clients had not yet reported the total number of affected patients to HHS. The lack of definitive evidence regarding data access underscored the challenges in assessing the breach’s full scope, though the presence of highly sensitive information in the email accounts necessitated precautionary notifications.