Cyber Incident Victim: JASACare

On January 29, 2016, JASACare, a New York-based home care services provider, experienced a cybersecurity incident involving unauthorized access to its email system. Hackers breached an employee’s email account during an attack primarily intended to steal money from corporate accounts through fraudulent bank transfers. The compromise lasted under two hours, with rapid detection by the organization limiting the attackers’ operational window. While the primary objective appeared financial, the breach exposed protected health information of patients and personal data of employees due to the accessed email account’s contents. JASACare confirmed the incident did not extend beyond the compromised email account, with no evidence suggesting systemic network infiltration or compromise of additional systems such as electronic health records. The attack timeline and confined duration indicated a focused effort rather than prolonged espionage or data exfiltration campaign.

JASACare notified 1,154 patients of potential exposure of their protected health information following internal investigation and impact assessment. The organization did not publicly specify exact data types exposed but confirmed the breach involved patient and employee information accessible via the compromised email account. No fraudulent transfers or financial losses were disclosed in available reporting, suggesting containment prevented the attackers’ primary objective. External cybersecurity forensic analysis was not explicitly detailed in public notifications, though the provider emphasized its prompt incident response mitigated potential harm. The incident highlighted risks associated with email system vulnerabilities being exploited for both financial fraud and secondary data exposure. JASACare’s public disclosure occurred via breach notifications to affected individuals and regulatory bodies, with HIPAA Journal reporting the event’s core details without subsequent updates on legal or regulatory outcomes.