Cyber Incident Victim: DeKalb Health
Date:
Feb 2014
Location:
United States of America
Summary
A healthcare provider experienced a data breach when a third-party vendor's server was compromised, exposing patient information across three groups. Initially, 17 online bill pay users had names, addresses, credit card numbers, and Social Security numbers accessed. Attackers also created a fraudulent donation page linked through phishing emails and website defacement. A second group of 24 pre-admission patients had extensive personal and insurance details exposed, including demographics and medical service types. A third database contained information for approximately 1,320 nursery patients—including infant names, birth details, and parent credentials—though unauthorized access wasn't confirmed. The organization terminated use of the compromised server, notified all affected individuals, and offered identity monitoring services while establishing a dedicated call center for inquiries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident involving DeKalb Health stemmed from a compromise of a third-party vendor’s server used to operate the hospital’s website. On or around February 12, 2014, the hospital became aware of a potential breach affecting 17 users of its online bill pay system. The compromised data for this first group included names, home addresses, credit card numbers, and Social Security numbers. Law enforcement investigated the hacking incident, which originated from an overseas attack targeting the vendor’s server. After authorities completed their investigation and identified affected individuals, DeKalb Health mailed notification letters to these 17 patients on March 26, 2014. Concurrently, investigators discovered that attackers had created a fraudulent website mimicking the DeKalb Health Foundation donation page and distributed phishing emails directing recipients to this fake site. The hackers additionally defaced DeKalb’s official website to include a link to the fraudulent donation portal. Upon identifying this scheme, the hospital issued public alerts through local news outlets and its website to warn community members.
Further investigation on March 27, 2014, revealed two additional databases on the compromised server. The second database contained pre-admission information for 24 patients, including names, addresses, email addresses, dates of birth, Social Security numbers, hospital ID numbers, insurance details, service types, telephone numbers, gender, marital status, religion, race, and demographic data about employers, emergency contacts, and guarantors. Notification letters for this group were sent on April 1, 2014. The third database held information for approximately 1,320 nursery babies whose parents had consented to share details via the hospital’s “Web Babies” site between December 2002 and March 2014. This data included baby names, weights, lengths, birth dates, parent names, and website access passwords, though investigators found no evidence the nursery data was accessed. DeKalb compiled addresses for these families and mailed notifications on April 25, 2014. The compromised server was not connected to DeKalb’s internal patient data systems. In response, the hospital terminated use of the affected server through its third-party vendor and initiated a review of its vendor relationship. DeKalb offered one year of free identity monitoring to all impacted individuals and established a dedicated call center to address patient inquiries.