Cyber Incident Victim: Advocate Aurora Health
Date:
Jan 2020
Location:
United States of America
Summary
Advocate Aurora Health experienced a breach of its human resources system following a successful email phishing campaign, leading to unauthorized access to sensitive personal information of current and former employees. The compromised data included Social Security numbers and bank account details, exposing affected individuals to potential identity theft or financial fraud. The incident stemmed from an external attacker temporarily gaining entry to the HR platform through deceptive email tactics targeting the organization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early January 2020, Advocate Aurora Health experienced a cybersecurity incident involving unauthorized access to its human resources systems. The breach originated from an email phishing campaign that successfully compromised employee credentials, allowing an external attacker temporary access to sensitive HR data repositories. The Milwaukee- and Downers Grove, Illinois-based health system discovered that current and former employees' personally identifiable information had been exposed, including Social Security numbers and bank account details. The intrusion occurred through targeted phishing emails designed to harvest legitimate login credentials, though the specific number of affected individuals or precise attack vectors were not publicly disclosed. Advocate Aurora confirmed the breach in late February 2020 after completing preliminary forensic investigations, indicating a detection and analysis period spanning approximately six weeks. The compromised HR system contained employment-related records rather than patient medical data, narrowing the impact scope to workforce members across the organization's Midwestern healthcare facilities. No evidence suggested the attacker accessed clinical systems or patient records during this incident.
The exposure of Social Security numbers and banking information created significant risks of financial fraud and identity theft for affected personnel. Advocate Aurora initiated standard breach response protocols, including internal forensic reviews to determine access duration and data exfiltration extent. While confirming the attacker's access was temporary, the organization did not specify whether multi-factor authentication protections were bypassed or whether the phishing campaign targeted specific employee groups. Notification letters were distributed to impacted current and former staff, though regulatory filings or public statements did not quantify the workforce segment affected. The health system's public disclosure emphasized the HR system breach without referencing operational disruptions to clinical services or additional compromises beyond employee data. No ransomware deployment, data destruction, or extortion demands were reported in connection with the incident during the initial disclosure period.