Cyber Incident Victim: Salem Health

In July 2019, an unauthorized individual gained access to employee email accounts at Salem Health Hospitals & Clinics through a phishing attack. The breach was discovered by the organization, though the exact method of detection was not disclosed in public statements. Hospital officials confirmed the compromise occurred within their email systems but could not determine whether the intruder viewed any patient information contained within the accessed accounts. A Salem Health spokesman publicly stated on November 7, 2019, that there was no evidence patient information had been "misused" following the incident. The health system did not specify how many employee accounts were compromised or the duration of unauthorized access prior to detection. No operational disruptions to clinical services or hospital systems beyond the email accounts were reported.

Salem Health formally notified affected patients about the email breach on September 27, 2019, approximately two months after discovering the incident. The organization did not disclose whether law enforcement was involved in investigating the phishing attack or what specific security measures were implemented following the breach. As of the November 7 report date, the incident had not been posted to the U.S. Department of Health and Human Services' public breach portal, which typically lists healthcare incidents affecting 500 or more individuals. The health system maintained that patient care operations remained unaffected throughout the incident response period. No additional details regarding potential data exposure categories or patient notification volumes were provided in the available public reporting.