Cyber Incident Victim: Huntsville Hospital
Date:
Nov 2018
Location:
United States of America
Summary
A healthcare organization in Alabama experienced a data breach impacting job applicants due to a security incident at its third-party recruiting vendor, Jobscience. The vendor's systems, used for online employment applications since 2006, were compromised, potentially exposing applicants' personal information. While no misuse of data was confirmed, the hospital proactively notified affected individuals via mail and offered identity theft protection services—particularly to those whose Social Security Numbers may have been accessed. The breach reportedly affected thousands of applicants across multiple organizations relying on the vendor's services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Huntsville Hospital in Alabama disclosed a potential data breach impacting individuals who applied for jobs at the facility, attributing the incident to a security compromise at Jobscience, Inc., its third-party online employment application vendor. The breach, discovered in 2018, affected applicants who had submitted information through Jobscience's platform, which the hospital had utilized since 2006 for recruitment services. While the hospital did not specify the number of affected individuals, it acknowledged that applicants' personal information, including Social Security Numbers, was potentially exposed due to the vendor's breach. Jobscience, described as a cloud computing firm specializing in staffing solutions, experienced the incident without immediate evidence of data misuse. The hospital emphasized that the breach originated within Jobscience's systems, not its own infrastructure, and involved data processed by the vendor on its behalf during the application process.
Upon learning of the breach, Huntsville Hospital initiated a notification process by mailing letters to affected job applicants and employees whose data was processed through Jobscience. These communications informed recipients of the potential exposure of their sensitive information and outlined remedial measures, including complimentary identity theft protection services offered as a precaution despite no confirmed misuse of data. The hospital's public statement clarified that the breach response—including direct notifications and identity protection offerings—was coordinated due to the involvement of Social Security Numbers, reflecting a focus on mitigating risks associated with this high-sensitivity data element. No technical details regarding the breach's cause, intrusion methods, or containment procedures were disclosed by either the hospital or Jobscience in the available information. The incident underscored supply chain risks inherent in vendor-managed systems handling sensitive applicant data, though the hospital maintained operational continuity without reported disruptions to its hiring processes or internal systems.