Cyber Incident Victim: Legacy Community Health

On July 28, 2020, Legacy Community Health experienced a phishing incident when an employee fell victim to a fraudulent email attack. The compromise was identified the following day, July 29, through internal detection mechanisms. The Houston-based organization, operating across 15 locations, confirmed the unauthorized access was limited to the compromised employee’s email account. Investigations revealed the attacker potentially accessed emails containing patient information, though Legacy found no evidence of actual misuse or further exploitation of the data at the time of their announcement. The breach notification process began shortly after discovery, with Legacy mailing physical letters to affected individuals to inform them of the incident.

The compromised email account contained patient names, dates of service, and health information related to care received at Legacy facilities. A subset of exposed records also included Social Security numbers, though Legacy characterized these instances as "limited." The organization did not publicly disclose the total number of impacted patients across its Houston-area operations. In its public statement and individual notifications, Legacy emphasized the absence of evidence suggesting misuse of the exposed data but advised vigilance. No additional technical details regarding the phishing vector, attacker identity, or specific containment measures beyond the initial detection were provided in the disclosed information. Legacy’s response focused on direct patient notification without announcing broader remedial actions or system changes.