Cyber Incident Victim: Genesis Health Care
Date:
Jan 2022
Location:
United States of America
Summary
Genesis Health Care experienced a cybersecurity incident involving unauthorized access to its computer systems over a period of nearly three months, detected during an internal investigation that prompted system security measures and third-party forensic assistance. The breach potentially exposed sensitive consumer data, likely including protected health information, Social Security numbers, financial account details, or government-issued identification numbers, based on state reporting requirements and the organization's healthcare operations. The provider, a nonprofit Federally Qualified Health Center serving South Carolina communities, notified affected individuals after confirming the scope of compromised information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 11, 2022, Genesis Health Care, Inc. detected suspicious activity within its computer network, prompting immediate containment measures. The company secured its systems, reported the incident to law enforcement, and engaged an external cybersecurity firm to investigate. Forensic analysis confirmed an unauthorized party had accessed the network from January 19, 2022, until the April 11 discovery—a nearly three-month intrusion period. By June 9, 2022, investigators verified that threat actors accessed files containing sensitive consumer information, though the specific data types were not publicly disclosed. Genesis initiated a comprehensive file review to identify compromised information and affected individuals. Based on Montana’s breach reporting requirements—which mandate disclosure only for incidents involving Social Security numbers, financial account details, protected health information, or government ID numbers—the incident likely exposed one or more of these categories. The company completed consumer impact assessments by September 2, 2022, when it issued data breach notifications via mail to all affected parties.
As a Federally Qualified Health Center operating 11 South Carolina-based medical practices and pharmacies, Genesis manages significant volumes of patient data. While the breach notification did not explicitly confirm exposure of protected health information (PHI), healthcare industry context and state reporting thresholds suggest PHI was potentially included. PHI becomes actionable for identity theft when paired with identifiers like names, addresses, or Social Security numbers—data types implicated by Montana’s disclosure criteria. Unauthorized use of such information could enable healthcare fraud, where criminals obtain medical services under victims’ identities, risking contamination of medical records with inaccurate treatment histories. Genesis’s response timeline spanned five months from initial detection to consumer notifications, with law enforcement collaboration and third-party forensic support constituting primary containment actions. No operational disruptions or specific attacker methodologies were detailed in regulatory filings.