Cyber Incident Victim: Sea Mar Community Health Centers
Date:
Dec 2020
Location:
United States of America
Summary
Sea Mar Community Health Centers experienced a cybersecurity incident involving unauthorized access and data exfiltration from its systems over several months, compromising sensitive information of approximately 688,000 individuals. The breach exposed personal and medical details including names, Social Security numbers, dates of birth, treatment and diagnostic information, insurance data, claims, and dental images. Following an investigation with third-party cybersecurity experts, notification letters were distributed months later, offering credit monitoring and identity theft protection services to affected individuals whose Social Security numbers were involved. The organization stated no evidence of data misuse had been identified at the time of notification.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Sea Mar Community Health Centers, a nonprofit provider serving underserved communities in Washington state, experienced a significant cybersecurity incident involving unauthorized access and data exfiltration. The organization discovered on June 24, 2021, that sensitive data had been stolen from its IT systems by an unauthorized individual. With assistance from a third-party cybersecurity firm, Sea Mar determined the breach occurred over an extended period, with system access occurring between December 2020 and March 2021. A comprehensive review of compromised data confirmed the theft of multiple protected health information elements including full names, addresses, Social Security numbers, dates of birth, client identification numbers, diagnostic and treatment details, insurance and claims information, and dental treatment images. The breach impacted approximately 688,000 individuals whose sensitive health and personal data was exposed to potential misuse by threat actors operating within Sea Mar's network during the four-month intrusion period.
Following the investigation, Sea Mar initiated breach notification procedures that extended through late 2021. The organization completed gathering necessary contact information for affected individuals by August 30, 2021, with physical notification letters mailed between October 29 and November 5 of that year. While Sea Mar stated no evidence of actual information misuse had been detected, the organization offered complimentary credit monitoring, identity theft protection, and fraud consultation services specifically to individuals whose Social Security numbers were compromised in the incident. The breach notice published on Sea Mar's website detailed the scope of stolen data categories but did not disclose technical specifics regarding the attack methodology or system vulnerabilities exploited. The incident represented one of two major healthcare breaches reported around this timeframe, collectively exposing sensitive information of over 1.27 million patients across affected organizations.