Cyber Incident Victim: Beaver Medical Group
Date:
Jan 2023
Location:
United States of America
Summary
Beaver Medical Group experienced a data breach stemming from a successful email phishing attack that compromised an employee's account, allowing unauthorized access to sensitive patient information. The incident exposed individuals' names, member ID numbers, health plan details, and premium payment amounts. Following an investigation triggered by unusual activity detected on the affected system, the organization initiated notifications to impacted patients regarding the unauthorized disclosure of their protected health data. The breach affected multiple healthcare facilities across California's Inland Empire region.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 24, 2023, Beaver Medical Group (BMG) detected unusual activity on an employee's computer, prompting an internal investigation. The investigation confirmed that an unauthorized party gained access to the employee's email account through a successful phishing attack. The compromised email account contained files with confidential patient information, though BMG did not specify the exact timeframe of unauthorized access or the number of accounts involved. Forensic analysis revealed that the exposed data included patients' names, member identification numbers, health plan names, and premium payment amounts. BMG completed its review of the affected files to identify impacted individuals but did not disclose the total number of affected patients or whether other systems beyond the single email account were compromised. On March 8, 2023, BMG formally notified the California Attorney General's office of the breach and initiated mailed notifications to all affected patients. The organization did not report evidence of data misuse but acknowledged the incident increased risks of healthcare identity theft and fraud for victims. No technical containment measures, such as multi-factor authentication implementation or email security enhancements, were detailed in the notification.
Beaver Medical Group, a Redlands-based healthcare provider operating 17 facilities across California's Inland Empire since 1945, is a subsidiary of Optum—a Minnesota-based healthcare and software corporation. The breach exposed financial healthcare data (premium payment amounts) alongside identifiers (member IDs) and insurance details (health plan names), creating potential vectors for insurance fraud and targeted phishing against patients. As a provider generating approximately $80 million annually with 548 employees, BMG's incident response focused on regulatory compliance through state reporting and individual notifications rather than public disclosure of attack methodologies or security improvements. The compromised data did not include Social Security numbers, medical records, or payment card information according to available reports. Affected patients were not offered complimentary credit monitoring services, though BMG's notification acknowledged potential legal claims if negligence in data protection practices is established. The phishing attack's success highlighted vulnerabilities in employee email security within a healthcare organization managing patient data across urgent care centers, specialty clinics, and hospital affiliates like San Gorgonio Memorial Hospital.